Re: Diceware method adoption - brute force me if you dare

[M.B.Jr. <marcio.barbado () gmail com>]

jf,

if your analogy was somehow decent, it would consider the police
giving citizens some shotguns since the Diceware dictionary is freely
available for download.




On Wed, Mar 12, 2008 at 11:49 PM, jf <jf () danglingpointers net> wrote:
> police officers (in the states) wear bullet proof vests because there is a
>  high probability of them getting shot/shot at, do you think that somehow makes it legal?
>
>
>  On Wed, 12 Mar 2008, M.B.Jr. wrote:
>
>  > Date: Wed, 12 Mar 2008 16:15:56 -0300
>  > From: M.B.Jr. <marcio.barbado () gmail com>
>  > To: Full-Disclosure mailing list <full-disclosure () lists grok org uk>
>  > Subject: [Full-disclosure] Diceware method adoption - brute force me if you
>  >     dare
>
>
> >
>  > Dear list,
>  > I was studying this passphrase creation method called Diceware:
>  >
>  > http://world.std.com/~reinhold/diceware.html
>  >
>  > In it, one rools a common dice five times, write down the results, in
>  > a sequential manner,  and then check the suggested word in the
>  > DICTIONARY they provide.
>  > You got that? The method is supposed to give the user the words to use.
>  >  Say your results were "5;6;1;5;3", then you check their table and the
>  > word listed under that number sequence is "sus"; well, that's the
>  > (pretty short) word to use in your passphrase.
>  > A 46,656 (6^6) word dictionary, publicly available. The method is
>  > clearly one bad choice for password creation but it's fairly
>  > acceptable for obtaining passphrases and concerning the latter, it
>  > assumes that eventual attackers know the referred dictionary, however
>  > offering a low guessing probability (high information entropy) for
>  > passphrases.
>  >
>  > Despite the "rite of passage" idea in which the target stops trying to
>  > hide and starts expecting attacks as a certainty, my point here is
>  > legal.
>  > Doesn't adopting the Diceware method in a, say, government corporative
>  > environment means legalizing brute force attacks?
>  >
>  > Yours faithfully,
>  >
>  >
>  >
>  >



-- 
Marcio Barbado, Jr.

"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/