Xkcd Download _HOT_ Time
Shana Frear
"Time" is the 1,190th strip of Randall Munroe's webcomic xkcd. Beginning with a single frame published at midnight on March 25, 2013, the image was updated every 30 minutes until March 30, 2013, and then every hour for 118 days (123 days in total), ending on July 26 with a total of 3,102 unique images.[1] Each image represented a single frame in a larger story.
They climb up and eventually reach a small abandoned house. While there, the man is attacked by a big cat, which the woman routs with a piece of wood. The man is unscathed, but the woman sustains a wound to her leg, which they wrap with a flag brought from when they were creating the sand castle. They decide that traveling in search of people towards the top of the mountain (where they see a structure) would be a better medical option than heading back home, so they continue towards the mountaintops. As night falls, they rest in the wild. The man takes the first guard shift, and the stars in the night sky time-lapse behind him. He wakes the woman to take his turn to sleep. When he eventually wakes up, the two characters press on with the intention of turning back if they do not find people.
Upon returning home, the two characters attempt to coordinate an escape with their own people. A girl appears in a boat she constructed from wood used in the sand castle from the beginning of the story; this causes the tribe to abandon their original plans and instead attempt to float up the river. After expanding the boat, the group boards it and sets sail. Soon they join the remaining members of their tribe, who had been in their own smaller boat. After a night of drifting, while the others are still asleep, the man and woman spot land. When they reach it, the story ends with the man and woman, last to depart, going into the new wilderness to explore it, with the boat seen bobbing in the water.[2] The final five frames of the comic, in which the boat is bobbing on the water, are currently rotating in an undetermined pattern for the comic on the xkcd website.[3][4]
In the scene where the male and female sleep in shifts, a time lapse of stars in the night sky occupies the background. This was done with the help of astronomy software to render the night sky of the characters' location, in their specific time, accounting for projected precession of the equinoxes and stellar motion over the next 11,000 years. The starfield lacks the star Antares, as Munroe consulted with astronomer Phil Plait, who told him that the star may go supernova before the date in which "Time" is set.[7][8]
Inside the page is a script and it uses simple Ajax to download a new image every so often. The script is minified and so not easy to follow, but there are a number of programmers taking the time to figure it out. The request redirects server side to a new image and it is difficult or impossible to get at the future images (they might not have been created yet) but if you know the links you can get the previous images. This has resulted in a number of sites putting the frames together to produce either an animated gif or a pseudo video that downloads each frame in turn.[12]
The comic garnered "obsessive" attention from viewers on xkcd's forum, with a discussion thread that exceeds 2,500 pages and 100,000 posts. Fans created a wiki specific to "Time", and a glossary of invented terms to describe the comic.[7][23]
So if our character set is just using digits (from 0-9), it would take longer to walk a 6 digit combination than a 3 digit combination. (As character sets change this calculation can become more complex. Especially disparate character sets per position of the secret.) This unit of time can be used as a deterrent for attackers, and is often used as a metric to directly equate password strength.
But this is still only part of the problem. If an attacker knows something about how the passwords were created, they would be able to reduce the recovery time. To make sure we maximize recovery time, we need to make sure the selection process introduces randomness. If our selections are truly random, it removes the predictability factor and forces an attacker to walk more of the key space to recover our secrets. Cryptography tries to measure this randomness by what is called entropy.
I think people have understood for a long time that NIST's original Special Publication 800-63B had not been a successful approach to a password policy. Passwords made with this policy often have a limited amount of time it will take an attacker to brute force the keyspace, and the difficulty it presents for most people to remember is pretty terrible. But what do we replace it with?
This xkcd comic suggests what is essentially diceware over the traditional patterns. Diceware isn't a new concept, but it's definitely not as popular for creating passwords. The idea here is to create memorable secrets, chosen at random, with high levels on entropy compared to traditional passwords.
We have an established set of rules for measuring entropy, but it can be easy to apply this incorrectly. For example, passwords are often measured in bits of entropy, but there's a strong argument to be made that bits are the wrong metric to determine password strength. We could easily be using n-grams or shingles (entire words) to constitute our key space, and this affects recovery times and resilience. In our example xkcd comic, 44 bits of entropy is estimated to take 550 years to brute force. There are quite a number of assumptions being made there, (assuming max key space walks for every attack, assuming static crack rates of 1000 H/s, assuming straight brute force of bits, etc.) and none of them model a real-world attack. By filtering on the base components of the passwords, we can skip irrelevant combinations of bits and reduce the key space for a successful attack. Realistically, we need a better way to measure password strength.
A majority of the material and resources I see floating around seem to suggest that attackers are going to waste their time just straight brute-forcing your passwords. The reality is, tools like Hashcat don't even have a brute force mode anymore. You could emulate one if you really needed to (in Hashcat you would step through a large binary mask and disable markov chains), but there are often way more effective attacks to use instead. Using publicly available information, and well established patterns of human behaviour, an attacker can reduce the key space of an attack even further to a reasonable subset. The result is a significantly smaller recovery time than blue teams are expecting.
Back in the mid-90s, diceware's creator (Arnold Reinhold) originally claimed a minimum of 5 words was necessary to reasonably protect the average user. By the time xkcd's comic was released in 2014, he raised this minimum to 6 words. xkcd's comic is obviously below this requirement.
xkcd seems to suggest that the entropy is tied to the number of characters in the secret. However, previously set standards (eg., read Bruce Schneier's Applied Cryptography, which references the work of Claude Elmwood Shannon) tie the entropy of diceware to the size of the source list, which is defined as a minimum of log2(6^5) words, and each word selected adds 12.9 bits of entropy. To put this in perspective, the 51.6 bits of a 4 word diceware password is thought to be about the same strength as an 8 character password made up of random ASCII characters.
Password security is one of those things I spend a lot of time thinking about. Perhaps too much time, to be honest. I've been pretty fortunate that my role at OkCupid allows me significant lateral freedom for research, and the ability to implement strong security controls as the direct result of this research. As a good example, OkCupid stopped aging out employee passwords by policy a couple of years before NIST revised SP 800-63B. Instead, regular password audits are performed as a mitigating control. Employee password hashes for critical core resources are collected and thrown into a password cracking rig. Any passwords which are recovered are forced to be changed.
Since this has been going on for a few years, some of the more tenured employees have developed stronger password hygiene (which is exactly the goal of our program.) This is great against some of the more common attacks, but I started wondering what kind of advanced attacks we could perform against our more resilient employees. The above xkcd comic immediately came to mind, and I wondered what a reasonable attack would look like to recover someone choosing a 4-word xkcd-style diceware.
Of course I let him know to change his password (he immediately started selecting much longer dicewares), but I also asked him how he selected the compromised password. Interestingly, he didn't select it from his head; he actually used a popular xkcd password generator. If you read the article paired with the generator, it explains how the author selected a source dictionary of 1949 words (not even the 2048 recommended by xkcd, because it's "close enough" - which is mathematically untrue in this context.) This only provides 1949^4 max combinations, which is actually a smaller key space than the job I ran at a little under 2458^4. In theory, I could have grabbed the source for this generator (available in the web page's source code) and just walked through that entire key space in less time.
If we are assuming that you can easily crack an xkcd password in 6 days, you would have to change your passwords at least 2 times a week as a reasonable mitigating control (but of course that comes with its own security problems!)
His contention seems to be that because it's known that people might construct their passwords in such a way that it makes it amenable to attack, but it seems like the strength lies purely in the power of exponents. I assume he's alluding to people not choosing the words truly randomly, which perhaps isn't totally disingenuous, as I've rerolled a couple times to get something that isn't all adverbs and adjectives. However, I assume that lowering the entropy by a factor of 2-10 isn't really significant (if the word list is doubled to 4000, not that hard, the loss is more than recovered).
df19127ead