Re: Password entropy

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 06:42 PM 7/19/2006, Basgen, Brian put fingers to keyboard and wrote:
> Roger,
> > the shorter phrase is stronger than the longer phrase?
>
> I think that is questionable. One would have to work out the entropy.
> One thing to think about is that effective cracking would need to target
> phrases versus passwords. Thus, one could make an argument for security
> through obscurity, since most crackers target passwords (and thus
> mnemonics) the phrase approach is stronger. Also, consider that
> depending on the cracking approach, either each letter is a factor in
> the entropy (passwords) or each word is a factor (in pass phrases): an
> important difference here is that characters have a limited amount of
> variation (in a good scenario, 96 variations), while words could
> theoretically have 500,000 variations, which significantly alters the
> math! :) In the absence of math on entropy for passphrases, I tend to
> think they are stronger (and easier).

Just to be clear, this was the very point I was making, which was why
I asked the question in the first place.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"