Security Basics mailing list archives
Re: Length vs Complexity
From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 17 Sep 2010 17:40:36 -0400
Hi px8,
.... the bit strength (entropy) of the password...
At 20 characters, I don't believe "Security.Basics.List" has 92 bits of entropy. I also don't believe entropy (a measure of uncertainty) is equivalent to security (an estimate of the strength when factoring in keys, algorithms, attacks, etc). Sorry about the lame references. Jeff http://en.wikipedia.org/wiki/Entropy_%28information_theory%29 http://www.cryptopp.com/wiki/Security_level On Thu, Sep 16, 2010 at 1:36 PM, p8x <l () p8x net> wrote:
I personally base password strength off the bit strength (entropy) of the password, as well as not selecting dictionary words. In the case of your passwords, "Security.Basics.List" is 92 bits (there are 2^92 possibilities if someone was to attempt a brute force). In comparison, "D*3ft!7z" is 51 bits. In a brute force attack the shorter password would come out second best, although keep in mind factors like dictionary attacks etc. can speed up guesses of common words. On 17/09/2010 1:01 AM, Mike Razzell wrote:Users hear constantly that they should add complexity to their passwords, but from the math of it doesn't length beat complexity (assuming they don't just choose a long word)? This is not to suggest they should not use special characters, but simply that something like Security.Basics.List would provide better security than D*3ft!7z. Is that correct? Thanks, -Mike
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Length vs Complexity Mike Razzell (Sep 16)
- Re: Length vs Complexity Ansgar Wiechers (Sep 16)
- RE: Length vs Complexity David Gillett (Sep 16)
- Re: Length vs Complexity p8x (Sep 16)
- Re: Length vs Complexity Jeffrey Walton (Sep 20)
- Re: Length vs Complexity Walter Goulet (Sep 16)
- Message not available
- Re: Length vs Complexity Walter Goulet (Sep 17)
- Message not available
- Message not available
- Re: Length vs Complexity Walter Goulet (Sep 17)
- Re: Length vs Complexity Roger (Sep 17)
- Re: Length vs Complexity John Morrison (Sep 20)
- <Possible follow-ups>
- RE: Length vs Complexity Pankaj (Sep 16)
- Re: Length vs Complexity Roger (Sep 16)
- RE: Length vs Complexity ron (Sep 16)