Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Steven Alexander <alexander.s () MCCD EDU>
Date: Mon, 19 Nov 2007 14:37:45 -0800
Harold, A predictable 15 character password is still not very good. If an attacker tries a brute force approach starting with a random password and a single character set, then all passwords of the same length are equal. But, they don't do that. With shorter passwords, attackers usually start with English and foreign word lists, common names, etc. They may also try each of those with varying capitalizations or with numbers prepended or appended. When attackers do resort to brute force, they often use password crackers that favor certain letters over others based on their usage in real language or other cracked passwords. If a smart attacker knows that the passwords are all at least 15 characters, he also knows that dumb brute force is impossible. His best approach is to try passwords that he thinks will be common. This might mean trying all word pairings that are at least 15 characters, word pairings combinded with a one or two digit number, or names with possible numerical birthdates. It could also mean trying famous quotes, movie quotes, and poems with varying punctuations and capitalizations. An attacker trying an intelligent approach, rather than raw brute force, would probably also try predictable passwords such as 'a' or 'b' 15 times, or "abcdef...", etc. Such an attacker might not ever guess "I don't like the Red Sox", but "aaaa..." and "May the Force be with you" will get figured out pretty quickly. Cheers, Steven -----Original Message----- From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Monday, November 19, 2007 2:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases I may have missed some of the earlier emails but I thought that a 15 character passphrase is as secure as a 15 character random password. For that matter, I thought the user could use the letter "a" fifteen times and it could be as secure as a random 15-character password or a 15-character password such as '"I don't like the Red Sox" (I think that's more than 15, though). Harold
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Sweeny, Jonny (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Martin Manjak (Nov 19)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
(Thread continues...)