Educause Security Discussion mailing list archives
Re: Password entropy
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Wed, 19 Jul 2006 13:50:07 -0500
At 01:26 PM 7/19/2006, Buz Dale put fingers to keyboard and wrote:
Exactly - "1 am not going to PAY a lot for the muffler!" could become "1a~gt$al4tm!"
First off, I assume that for all practical purposes this is an academic discussion. It's obviously going to take a VERY long time to crack either of these. That being the case, there are better methods for obtaining the phrase. However, that being said... My assumption is that what is being said is that because the shorter phrase is not using dictionary words, that it is stronger than the longer phrase that is. I'm not convinced that's true. If I count correctly, that phrase is 44 characters long. Even if you do get to use the dictionary to seed your attempts, the fact that one phrase is four times longer than the other is going to play a significant roll, especially since they both use the same character set.
From my point of view, users are more likely to use
a longer phrase, rather than the shorter, but more complex passphrase. Once you cross a certain threshold, lets call it X, the phrase is strong enough. The key, is getting your users to use a phrase that can meet that criteria. I have not seen a lot of users who will use complex combinations. Have you? -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password entropy Basgen, Brian (Jul 19)
- <Possible follow-ups>
- Re: Password entropy Brent Sweeny (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
(Thread continues...)