Educause Security Discussion mailing list archives
Re: Password entropy
From: scott hollatz <shollatz () D UMN EDU>
Date: Wed, 19 Jul 2006 15:16:01 -0500
[stuff deleted]
Which is a better password? abcdefghijklmnopqrstuvwxyz 1angtPalftmJust based on a tool I have from SANS, it will take a maximum of 7,125,138,403,017,540,000 days to crack a 26 character string, that is only based on the lowercase character set. It will take a maximum of 60 to crack the 11 character string, based on the upper/lowercase and numerals. Both assume that the exact length is known. BTW, just as a FYI, it will take a maximum of 9,740,929,530,489,110,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 days to crack the original phrase based on the 94 character set of upper/lower special and space. I do not know how much the dictionary will reduce that number to, but assume it is significant.
I agree there are computational complexity advantages in longer pass strings, but the above example was meant to highlight the entropy issue. A (semi)random brute force analysis would take a long time, but a targeted attack on a Mac OS fanatic who routinely makes it known that "I love my Mac and it loves Me" and who is not fond of complexities *might* be a better entropy attack target (the task is still daunting). The quote on my signature line might make a good pass string if reading left to right, but is somewhat less good reading right to left, mainly because the mind is filling in details, and if a mind can do it, then maybe a computer can, too. Again, it's the entropy thing, but still computationally hard with brute force. Anyone have stats on breaking a hash of 'abcdefghi' and methods used other than brute force? (Disclaimer: I have nothing against Mac users and owners.) -- scott hollatz net shollatz () d UMn eDu information technology systems and services tel +1 218 726 8851 university of minnesota duluth mn usa fax +1 218 726 7674 -- "Asn aD ta zlAp em uT zt33rg"
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Brent Sweeny (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
(Thread continues...)