Educause Security Discussion mailing list archives

Re: Password entropy

From: Graham Toal <gtoal () UTPA EDU>
Date: Thu, 20 Jul 2006 10:01:13 -0500

Which is a better password?

    abcdefghijklmnopqrstuvwxyz
    1angtPalftm


 The second one is better by far. Cracking time is a function 
of entropy, the more basic the pattern, the less entropy. The 
first 'password' you show has a very simple pattern.


Has anyone mentioned NIST FIPS 181 yet?

I don't personally think it's all that great, but I suspect
it does wonders for complaints from the auditors...

(talking of entropy, you need a good entropy generator
for a random password generator.  I've seen so many obfuscated
sources which boiled down in the end to either a 16 bit
PRNG seed, or using a clock() value that could be guessed
to within a few minutes!  I think FIPS 181 uses your previous
password as a seed, which has to be pretty dubious!)

G
http://www.itl.nist.gov/fipspubs/fip181.htm

Current thread:

Re: Password entropy, (continued)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Graham Toal (Jul 21)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)

(Thread continues...)