Incorrect Horse Battery Staple

An interesting argument should provoke thought. But if it’s also appealing, it can have an opposite effect: be seen as a solution (to a problem that may or may not be well-specified) and given no further thought.

A good case in point is the xkcd classic Correct Horse Battery Staple. It presents succinctly an appealing argument, and is widely cited as words of wisdom on the subject of passwords. But it seems those who cite it are usually blind to its limitations: if presented as a general solution to the problem of passwords, it’s basically useless.

It’s true that it’s the right solution to a more limited problem: passphrases for cryptographic private keys such as ssh and pgp. As with PIN numbers for your bank cards (a close analogy), you have just one or two to remember. It’s good that the security should be high, particularly where there’s no primary line of defence against brute-force attack (as in the bank suspending your card automatically after three incorrect PIN attempts). But in that context we have always spoken not of passwords but of passphrases: you shouldn’t need xkcd to tell you about them, because you were told when you first followed instructions on using ssh.

However, Correct Horse Battery Staple offers nothing more to the general problem of passwords than the thought it immediately provokes. In the first place, the cartoon’s ideas on what is memorable are perhaps a little disingenuous. So too are the security claims: there are defences against brute force attacks, and 44 bits of entropy is complete nonsense against something as simple as a dictionary, let alone AI that can correlate the supposed memorability of CHBS with its linguistic characteristics.

But far more importantly, it doesn’t scale: how many such phrases can you ever hope to memorise without hopelessly confusing them? No matter how much you might want to argue with my last paragraph, the original problem is still there. I think it’s actually worse!

Great for a passphrase, useless for multiple passwords. What the world needs is password-free cryptographic identity such as PGP and OpenID to replace all those horrible passwords. And without a centralised authority whose own motives and competence might fall under suspicion.