Educause Security Discussion mailing list archives

Re: Password entropy

From: scott hollatz <shollatz () D UMN EDU>
Date: Wed, 19 Jul 2006 15:16:01 -0500

        [stuff deleted]

Which is a better password?

        abcdefghijklmnopqrstuvwxyz
        1angtPalftm


Just based on a tool I have from SANS, it will take a maximum of
7,125,138,403,017,540,000 days to crack a 26 character string,
that is only based on the lowercase character set.  It will take a
maximum of 60 to crack the 11 character string, based on the
upper/lowercase and numerals.  Both assume that the exact length
is known.  BTW, just as a FYI, it will take a maximum of
9,740,929,530,489,110,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
days to crack the original phrase based on the 94 character set
of upper/lower special and space.

I do not know how much the dictionary will reduce that
number to, but assume it is significant.


I agree there are computational complexity advantages in longer
pass strings, but the above example was meant to highlight the
entropy issue.  A (semi)random brute force analysis would take
a long time, but a targeted attack on a Mac OS fanatic who routinely
makes it known that "I love my Mac and it loves Me" and who is not
fond of complexities *might* be a better entropy attack target
(the task is still daunting).

The quote on my signature line might make a good pass string if reading
left to right, but is somewhat less good reading right to left, mainly
because the mind is filling in details, and if a mind can do it, then
maybe a computer can, too.  Again, it's the entropy thing, but still
computationally hard with brute force.

Anyone have stats on breaking a hash of 'abcdefghi' and methods used
other than brute force?

(Disclaimer:  I have nothing against Mac users and owners.)

--
scott hollatz                                        net shollatz () d UMn eDu
information technology systems and services          tel +1 218 726 8851
university of minnesota duluth mn usa                fax +1 218 726 7674
                                                                         --
                                              "Asn aD ta zlAp em uT zt33rg"

Current thread:

Re: Password entropy, (continued)
- Re: Password entropy Brent Sweeny (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)

(Thread continues...)