Educause Security Discussion mailing list archives
Re: Password entropy
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 19 Jul 2006 16:42:09 -0700
David,
"1angtPalftm" So I'm not using it as an actual passphrase, but as a mnemonic.
Fair enough. 62^11 gets you in the quintillion range assuming true randomness, which would be excellent. Yet, an equation could be made for mnemonics (for example, only 50 common English words start with the letter 'Z', while 1,000 words start with the letter 'A', etc). It would be interesting to see math for this. Roger,
the shorter phrase is stronger than the longer phrase?
I think that is questionable. One would have to work out the entropy. One thing to think about is that effective cracking would need to target phrases versus passwords. Thus, one could make an argument for security through obscurity, since most crackers target passwords (and thus mnemonics) the phrase approach is stronger. Also, consider that depending on the cracking approach, either each letter is a factor in the entropy (passwords) or each word is a factor (in pass phrases): an important difference here is that characters have a limited amount of variation (in a good scenario, 96 variations), while words could theoretically have 500,000 variations, which significantly alters the math! :) In the absence of math on entropy for passphrases, I tend to think they are stronger (and easier).
First off, I assume that for all practical purposes this is an academic
discussion. Partly, but I think this is a real problem. With modern computing power, botnets, etc, cracking complex passwords challenges many traditional concepts of password strength. For example, a completely random 8 character password considering all letters, cases, numbers, and symbols, is very easy to crack! Acouple hours on average. Considering that true randomness is difficult to attain versus the effectiveness of the cracking program, even those few hours can be significantly reduced. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
(Thread continues...)