Re: Password entropy

[David Gillett <gillettdavid () FHDA EDU>]

  Stronger?  Probably not.  *All other things being equal*, length
almost certainly trumps complexity.

  More effective?  Sure.  It's a lot less typing, which makes it
easier to get the human to *use* it.  And it resists most of the
possible attacker shortcuts that the use of English words and
grammar subjects the longer phrase to (which effectively shorten
the long phrase).

  Some fraction of what I lose on length, I make back on complexity,
and a really strong password that people won't use doesn't do any good.

David Gillett


> -----Original Message-----
> From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU]
> Sent: Wednesday, July 19, 2006 11:39 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password entropy
>
> At 01:14 PM 7/19/2006, David Gillett put fingers to keyboard
> and wrote:
> >  If I choose
> >
> > > "1 am not going to PAY a lot for the muffler!"
> >
> > as my "passphrase", *I* will probably use
> >
> > "1angtPalftm"
> >
> > as the actual *password*.
>
> I just want to be clear here.  You are suggesting that the
> shorter phrase is stronger than the longer phrase?
>
>
> --
> Roger A. Safian
> r-safian () northwestern edu (email) public key available on
> many key servers.
> (847) 491-4058   (voice)
> (847) 467-6500   (Fax) "You're never too old to have a great
> childhood!"