Re: Length vs Complexity

[p8x <l () p8x net>]

I personally base password strength off the bit strength (entropy) of 
the password, as well as not selecting dictionary words. In the case of 
your passwords, "Security.Basics.List" is 92 bits (there are 2^92 
possibilities if someone was to attempt a brute force). In comparison, 
"D*3ft!7z" is 51 bits.

In a brute force attack the shorter password would come out second best, 
although keep in mind factors like dictionary attacks etc. can speed up 
guesses of common words.


On 17/09/2010 1:01 AM, Mike Razzell wrote:
> Users hear constantly that they should add complexity to their
> passwords, but from the math of it doesn't length beat complexity
> (assuming they don't just choose a long word)?  This is not to suggest
> they should not use special characters, but simply that something like
> Security.Basics.List would provide better security than D*3ft!7z.  Is
> that correct?
>
> Thanks,
> -Mike


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------