Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 21:03:28 -0700
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven Alexander
Sent: Wednesday, March 17, 2010 5:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password vs pass-phrase (was: Are users right
in rejecting security advice?)

I think this touches on an important point, we don't have much
experience or research guiding us in choosing good passphrases and will
run into many of the same problems with passphrases that we have with
passwords.


True.  We talk about character space or classes (lower, upper, number,
other), at some point the password crackers will start stringing words
together and we'll talk about word space.


<snip> Obviously, famous quotes, book titles, and the like are

awful choices.


Is it obvious to a brute force password cracker?  If we assume the password
hash has not be compromised and a key logger was not used, is it obvious
that
        four score and seven years ago
is an awful choice?  Based on how the U of Arizona implemented NIST
SP800-63, the above password/passphrase would score 53 bits of entropy.
        4 score and 7 years ago
Would only score 48 bits of entropy even though it uses three character
classes and the first one only uses two classes.


<snip> But we're also going to run into problems with users

picking phrases that are too simple and end up being subject to
predictions based on language analysis.


I agree, once the password crackers start using language analysis or AI, the
game will change.  Until then, can we get by with long 'simple' passphrases
that are easy for users to remember?


Based on how the U of Arizona implemented NIST SP800-63 . . .
        I swim waffles          = 37 bits of entropy
        I like pancakes.        = 40 bits of entropy
        I like football.        = 40 bits of entropy
        My husband is boring.   = 46 bits of entropy
        Alice in Wonderland     = 44 bits of entropy
        TriSsmitp               = 27 bits of entropy
        My lawn is always green = 48 bits of entropy
        My lawn is sempre verde = 48 bits of entropy



I'm not suggesting that passphrases are bad, just that they are
unquantified.  Without good language analysis and lots of real-world
examples of chosen passphrases, we don't know whether people actually
choose better passphrases than passwords or how a passphrase of length
X compares to a password of length Y.


At least for now, you can quantify them based on length, character classes
and dictionary/complexity checks by using NIST SP800-63.  When the crackers
evolve, we will play catch-up (again).

NIST SP800-63 uses the research the Brian points out.
-Eric



Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase
Previous By Date Next
Previous By Thread Next

Current thread: