Re: Password entropy

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 03:16 PM 7/19/2006, scott hollatz put fingers to keyboard and wrote:
> I agree there are computational complexity advantages in longer
> pass strings, but the above example was meant to highlight the
> entropy issue.  A (semi)random brute force analysis would take
> a long time, but a targeted attack on a Mac OS fanatic who routinely
> makes it known that "I love my Mac and it loves Me" and who is not
> fond of complexities *might* be a better entropy attack target
> (the task is still daunting).

Assuming we all agree that choosing a phrase that you routinely
is a bad idea, what is a reasonable recommendation.

Here's what I'm leaning towards:

15 or more characters (this gets around and local LM hash as well)
Mixture of upper and lower case
Use numerals and special characters

Now I would love have a nice minimum as well, but I suspect that
I won't be able to get it.  (or at least much beyond our current
minimum of 6)  :-(

Now while I concede that if you have two passwords of equal length
and constructed from the same character sets, but one is pretty
random, and the other is composed of words, the random will be
stronger.  I just don't see many of my users voluntarily using
long relatively random passwords.  So I am going to be pushing
the easier, and hopefully longer, word based phrases.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"