Educause Security Discussion mailing list archives
Re: Password entropy
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Mon, 24 Jul 2006 10:05:21 -0700
Roger,
Now, on to the questions. Am I correct in my understanding that "this passphrase" is not as strong as "thispassphrase", even though the first is longer? Does running the words together help at all?
Not really. The cracking program will account for both variations, the question is which it chooses to do first. If you factor in a motivated cracker, considering that most of us publicize requirements and suggestions, policy requirements will be aligned in priority.
FWIW - At the moment I a considering a recommendation of a 12 character minimum.
This isn't going to be strong when combined with regular words. "At the moment" is 13 characters, at 3.5 bits of entropy, gives us 45.5 bits total. 20 characters would put you in a good range "At this moment I am.". On the one hand, users can remember those phrases, on the other, you increase the chance of a typo. Also, as Valdis cautioned, passphrase strength is destroyed by quotes, and common passphrase choices will reduce entropy (thus lowering the 3.5 multiplier). This leads some to trend towards longer passwords (12-15 characters) of "semi-random" choices (5 bits of entropy). This is partially the complexity versus length argument, but the assumption here is that even with the choice of 96 characters (6.5 bits; e.g. all numbers, letters, symbols, and case), people will stick to around 32 common characters, thus combined with a slight increase to traditional length, and you have good strength. Still though, even with just lowercase and numbers, 12-15 characters is not a happy thing for users to swallow. Considering that neither option is particularly positive, two-factor authentication is a consensus view. These are not without challenges of course: token/card administration and user encumbrance to biometric privacy and transparency. When the mandate is feasible password security, two factor is the best option. Due to these challenges, many in academia find it easier to reverse their premise that password security is important! :p ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
- Re: Password entropy James H Moore (Jul 23)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
- Re: Password entropy Alan Amesbury (Jul 25)
- Re: Password entropy Valdis Kletnieks (Jul 25)