Educause Security Discussion mailing list archives

Re: Passwords & Passphrases

From: Steven Alexander <alexander.s () MCCD EDU>
Date: Mon, 19 Nov 2007 14:37:45 -0800

Harold,

A predictable 15 character password is still not very good.  If an
attacker tries a brute force approach starting with a random password
and a single character set, then all passwords of the same length are
equal.  But, they don't do that.  With shorter passwords, attackers
usually start with English and foreign word lists, common names, etc.
They may also try each of those with varying capitalizations or with
numbers prepended or appended.  When attackers do resort to brute force,
they often use password crackers that favor certain letters over others
based on their usage in real language or other cracked passwords.    

If a smart attacker knows that the passwords are all at least 15
characters, he also knows that dumb brute force is impossible.  His best
approach is to try passwords that he thinks will be common.  This might
mean trying all word pairings that are at least 15 characters, word
pairings combinded with a one or two digit number, or names with
possible numerical birthdates.  It could also mean trying famous quotes,
movie quotes, and poems with varying punctuations and capitalizations.
An attacker trying an intelligent approach, rather than raw brute force,
would probably also try predictable passwords such as 'a' or 'b' 15
times, or "abcdef...", etc.

Such an attacker might not ever guess "I don't like the Red Sox", but
"aaaa..." and "May the Force be with you" will get figured out pretty
quickly.

Cheers,

Steven

-----Original Message-----
From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] 
Sent: Monday, November 19, 2007 2:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passwords & Passphrases

I may have missed some of the earlier emails but I thought that a 15 
character passphrase is as secure as a 15 character random password.

For that matter, I thought the  user could use the letter "a" fifteen 
times and it could be as secure as a random 15-character password or 
a 15-character password such as '"I don't like the Red Sox" (I think 
that's more than 15, though).

Harold

Current thread:

Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Sweeny, Jonny (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Martin Manjak (Nov 19)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)

(Thread continues...)