Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Harold Winshel <winshel () CAMDEN RUTGERS EDU>
Date: Tue, 20 Nov 2007 07:56:10 -0500
Thanks. That was part of what I was trying to determine - how are the password attacking programs written. At 05:37 PM 11/19/2007, Steven Alexander wrote:
Harold, A predictable 15 character password is still not very good. If an attacker tries a brute force approach starting with a random password and a single character set, then all passwords of the same length are equal. But, they don't do that. With shorter passwords, attackers usually start with English and foreign word lists, common names, etc. They may also try each of those with varying capitalizations or with numbers prepended or appended. When attackers do resort to brute force, they often use password crackers that favor certain letters over others based on their usage in real language or other cracked passwords. If a smart attacker knows that the passwords are all at least 15 characters, he also knows that dumb brute force is impossible. His best approach is to try passwords that he thinks will be common. This might mean trying all word pairings that are at least 15 characters, word pairings combinded with a one or two digit number, or names with possible numerical birthdates. It could also mean trying famous quotes, movie quotes, and poems with varying punctuations and capitalizations. An attacker trying an intelligent approach, rather than raw brute force, would probably also try predictable passwords such as 'a' or 'b' 15 times, or "abcdef...", etc. Such an attacker might not ever guess "I don't like the Red Sox", but "aaaa..." and "May the Force be with you" will get figured out pretty quickly. Cheers, Steven -----Original Message----- From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Monday, November 19, 2007 2:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases I may have missed some of the earlier emails but I thought that a 15 character passphrase is as secure as a 15 character random password. For that matter, I thought the user could use the letter "a" fifteen times and it could be as secure as a random 15-character password or a 15-character password such as '"I don't like the Red Sox" (I think that's more than 15, though). Harold
Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Mike Iglesias (Nov 19)
- Re: Passwords & Passphrases Benjamin Bennett (Nov 19)
- Re: Passwords & Passphrases Eric Case (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Gary Dobbins (Nov 20)
- Re: Passwords & Passphrases Peters, Kevin (Nov 20)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
(Thread continues...)