Educause Security Discussion mailing list archives
Re: Password entropy
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Thu, 20 Jul 2006 08:40:10 -0500
At 03:16 PM 7/19/2006, scott hollatz put fingers to keyboard and wrote:
I agree there are computational complexity advantages in longer pass strings, but the above example was meant to highlight the entropy issue. A (semi)random brute force analysis would take a long time, but a targeted attack on a Mac OS fanatic who routinely makes it known that "I love my Mac and it loves Me" and who is not fond of complexities *might* be a better entropy attack target (the task is still daunting).
Assuming we all agree that choosing a phrase that you routinely is a bad idea, what is a reasonable recommendation. Here's what I'm leaning towards: 15 or more characters (this gets around and local LM hash as well) Mixture of upper and lower case Use numerals and special characters Now I would love have a nice minimum as well, but I suspect that I won't be able to get it. (or at least much beyond our current minimum of 6) :-( Now while I concede that if you have two passwords of equal length and constructed from the same character sets, but one is pretty random, and the other is composed of words, the random will be stronger. I just don't see many of my users voluntarily using long relatively random passwords. So I am going to be pushing the easier, and hopefully longer, word based phrases. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Graham Toal (Jul 21)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
(Thread continues...)