Re: Password entropy

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 01:26 PM 7/19/2006, Buz Dale put fingers to keyboard and wrote:
> Exactly - "1 am not going to PAY a lot for the muffler!"
> could become "1a~gt$al4tm!"

First off, I assume that for all practical purposes this
is an academic discussion.  It's obviously going to take
a VERY long time to crack either of these.  That being
the case, there are better methods for obtaining the
phrase.  However, that being said...

My assumption is that what is being said is that because
the shorter phrase is not using dictionary words, that
it is stronger than the longer phrase that is.  I'm not
convinced that's true.  If I count correctly, that
phrase is 44 characters long.  Even if you do get to
use the dictionary to seed your attempts, the fact that
one phrase is four times longer than the other is going
to play a significant roll, especially since they both
use the same character set.

> From my point of view, users are more likely to use
a longer phrase, rather than the shorter, but more
complex passphrase.  Once you cross a certain threshold,
lets call it X, the phrase is strong enough.  The key, is
getting your users to use a phrase that can meet that
criteria.  I have not seen a lot of users who will use
complex combinations.  Have you?


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"