Re: Passwords & Passphrases

[Harold Winshel <winshel () CAMDEN RUTGERS EDU>]

Are you saying a password cracking program is more likely to guess
the letter "a" repeated 15 times or that an individual user trying to
break in to a machine will more likely try that?

Harold

At 05:37 PM 11/19/2007, Alex wrote:
> Harold:
>
> I think there is confusion betweeen pure mathematical probability and
> probability based on historical attacks/human created passwords.
> An attacker is more likely to try repetitive or dictionary-based/hybrid
> attacks over a network (or against a hash) than random passwords.
> Additionally, people are more likely to use certain characters than others
> when creating passwords (e.g. wheel of fortune).
>
> Therefore, user created passwords are not random.
>
> So, given that we know attackers typically use 'easy' passwords, the
> character 'a' repeated 15 times is more likely to be cracked than a 15
> character passphrase.
> Likely, so is a 15 character passphrase when compared to a truly randomly
> generated password of 15 characters from the same character set.
> Hence, we have password complexity rules as those in Microsoft Server 2003
> and linux.
>
> -Alex
>
> -----Original Message-----
> From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU]
> Sent: Monday, November 19, 2007 5:16 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Passwords & Passphrases
>
> I may have missed some of the earlier emails but I thought that a 15
> character passphrase is as secure as a 15 character random password.
>
> For that matter, I thought the  user could use the letter "a" fifteen times
> and it could be as secure as a random 15-character password or a
> 15-character password such as '"I don't like the Red Sox" (I think that's
> more than 15, though).
>
> Harold
>
>
> At 04:44 PM 11/19/2007, Roger Safian wrote:
> >At 02:01 PM 11/19/2007, Martin Manjak put fingers to keyboard and wrote:
> > >move beyond 8 characters with mixed case and special characters. I
> > >would like to see us require a 15 character pass phrase which, in my
> > >view, is more secure (even without complexity), and both easier to
> > >type and remember.
> >
> >Personally I'd love to see a password minimum length of 15 characters.
> >
> >My fear is that a password database get's compromised, and the weak
> >passwords are cracked and bad things take place.  I think that 15
> >characters is a long enough string to make brute force cracking time
> >consuming enough to allow us to change the passwords in a reasonable
> >time-frame.
> >
> >I think the reality is that 15 characters will be too much for the
> >community.  We'll see.
> >
> >
> >--
> >Roger A. Safian
> >r-safian () northwestern edu (email) public key available on many key servers.
> >(847) 491-4058   (voice)
> >(847) 467-6500   (Fax) "You're never too old to have a great childhood!"
>
> Harold Winshel
> Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers
> University, Camden Campus
> 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102
> (856) 225-6669 (O)

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)