Educause Security Discussion mailing list archives

Re: Password entropy

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Mon, 24 Jul 2006 10:05:21 -0700

Roger,

Now, on to the questions.  Am I correct in my understanding 
that "this passphrase" is not as strong as "thispassphrase", 
even though the first is longer?  Does running the words 
together help at all?


 Not really. The cracking program will account for both variations, the
question is which it chooses to do first. If you factor in a motivated
cracker, considering that most of us publicize requirements and
suggestions, policy requirements will be aligned in priority.

FWIW - At the moment I a considering a recommendation of a
12 character minimum.


 This isn't going to be strong when combined with regular words. "At the
moment" is 13 characters, at 3.5 bits of entropy, gives us 45.5 bits
total. 20 characters would put you in a good range "At this moment I
am.". On the one hand, users can remember those phrases, on the other,
you increase the chance of a typo. Also, as Valdis cautioned, passphrase
strength is destroyed by quotes, and common passphrase choices will
reduce entropy (thus lowering the 3.5 multiplier). 

 This leads some to trend towards longer passwords (12-15 characters) of
"semi-random" choices (5 bits of entropy). This is partially the
complexity versus length argument, but the assumption here is that even
with the choice of 96 characters (6.5 bits; e.g. all numbers, letters,
symbols, and case), people will stick to around 32 common characters,
thus combined with a slight increase to traditional length, and you have
good strength. Still though, even with just lowercase and numbers, 12-15
characters is not a happy thing for users to swallow. 

 Considering that neither option is particularly positive, two-factor
authentication is a consensus view. These are not without challenges of
course: token/card  administration and user encumbrance to biometric
privacy and transparency. When the mandate is feasible password
security, two factor is the best option. Due to these challenges, many
in academia find it easier to reverse their premise that password
security is important! :p

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College

Current thread:

Re: Password entropy, (continued)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
- Re: Password entropy Alan Amesbury (Jul 25)
- Re: Password entropy Valdis Kletnieks (Jul 25)