Re: ADS Password Storage Protection

["Gregory Rubin" <grrubin () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While I agree that length is far superior to complexity, I must
disagree that 15 char is sufficient.

(Pure theory to follow)
Each additional letter in English provides approximately 1.1 bits of
entropy.  Even grossly overestimating this at 2 bits, the total
entropy of a 15 char passphrase is only 30 bits or the equivelent of a
complex password of length 3 to 4.  Thus, the passphrase remains
vulnerable to dictionary attacks.

For secure systems, the user should type a sentance.  That will easily
provide around 20 or more characters.  At that length, the entropy at
the word level (as opposed to just the letter) starts to really come
into play and the pass phrase becomes secure.  For administrators, it
doesn't even need to be much longer, but they could throw in a little
complexity as they are likely to be more competant.

For low security systems, the users are going to pick weak stuff no
matter what, so is it worth the added inconvience?

Greg

P.S. Signed with a 40+ char pass-phrase.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.11.9

iD8DBQFEvAR15KDU23nQpRcRAo8NAKC6zl2Y0IhsInZmaH0wec6nGZuzQwCg5jWq
UzR9jOPNsVbLXPjA2Lncaz4=
=81Gb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------