Security Basics mailing list archives

RE: Length vs Complexity

From: Pankaj <pankaj.with.wings () gmail com>
Date: Thu, 16 Sep 2010 23:22:37 +0530

Hmm, Mike.

Using complete English words only separated by dots wouldn't be a good idea because it can be broken through a 
brute-force attack using an English dictionary. Of course, having three English words separated by dots is better than 
having only two simply because it increases the number of permutations to be tried.

However, if we compare it with the other password, we can immediately get a feeling of more security since the attacker 
can't get candidates from an English dictionary. In addition, having the symbols along with letters and numbers just 
breaks the logical continuity and thus makes it harder for the attacker to guess it.

So, in a nutshell, the first password is weaker due to its being intelligible to a machine , given a dictionary. Being 
longer, it increases the permutations but the gain doesn't offset the risk due to the presence of guess-able words.

Do you agree?

-----Original Message-----
From: Mike Razzell <m.razzell () gmail com>
Sent: 16 September 2010 22:31
To: security-basics () securityfocus com
Subject: Length vs Complexity

Users hear constantly that they should add complexity to their
passwords, but from the math of it doesn't length beat complexity
(assuming they don't just choose a long word)?  This is not to suggest
they should not use special characters, but simply that something like
Security.Basics.List would provide better security than D*3ft!7z.  Is
that correct?

Thanks,
-Mike

-- 
Sent from my mobile device

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: Length vs Complexity, (continued)
- Re: Length vs Complexity Ansgar Wiechers (Sep 16)
- RE: Length vs Complexity David Gillett (Sep 16)
- Re: Length vs Complexity p8x (Sep 16)
  - Re: Length vs Complexity Jeffrey Walton (Sep 20)
- Re: Length vs Complexity Walter Goulet (Sep 16)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Re: Length vs Complexity Roger (Sep 17)
- RE: Length vs Complexity Joachim Thuau (Sep 17)
  - Re: Length vs Complexity John Morrison (Sep 20)
- RE: Length vs Complexity Pankaj (Sep 16)
  - Re: Length vs Complexity Roger (Sep 16)
- RE: Length vs Complexity ron (Sep 16)