Re: Password entropy

["Basgen, Brian" <bbasgen () PIMA EDU>]

Roger,

> Passphrase_Length_and_Complexity_Considerations.xls
> If the sheet is incorrect, I'd like to know.

 Nice find! The sheet is 2 years old, so the processing numbers need to
be updated, and  the sheet is misleading about entropy, since he is
assuming a password cracker that uses brute force. On that assumption,
entropy is near 99%, excepting that even a 'random' brute force crack is
not exactly random. Thus, his comparison to pass phrases is equally
problematic. In other words, it is challenging to account for real world
math on password crackers without being accurate as to the cracking
method (pattern matching in particular, which all modern crackers do in
some form), and thus his generic approach misses that real-world gap
while creating a false theoretical gap with the entropy variable. 

 All in all though, I think this is a good resource. It is a reasonable
and commendable attempt to create some ground on a complex issue, but it
could use a disclaimer. ;)

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College
 
 
 

> -----Original Message-----
> From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU] 
> Sent: Wednesday, July 19, 2006 12:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password entropy
>
> BTW - you can download
> Passphrase_Length_and_Complexity_Considerations.xls
> from 
> <http://www.shiloh.k12.il.us/tech/feast2006/Scripting/JasonFos
> senScripts/Day6--Scripting/>
>
> If the sheet is incorrect, I'd like to know.
>
>
> --
> Roger A. Safian
> r-safian () northwestern edu (email) public key available on 
> many key servers.
> (847) 491-4058   (voice)
> (847) 467-6500   (Fax) "You're never too old to have a great 
> childhood!"