Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Wed, 17 Mar 2010 21:03:28 PDT, Eric Case said:

> Is it obvious to a brute force password cracker?  If we assume the password
> hash has not be compromised and a key logger was not used, is it obvious
> that
>       four score and seven years ago
> is an awful choice?  Based on how the U of Arizona implemented NIST
> SP800-63, the above password/passphrase would score 53 bits of entropy.
>       4 score and 7 years ago
> Would only score 48 bits of entropy even though it uses three character
> classes and the first one only uses two classes.

Assuming proper configuration that rate-limits guesses (if somebody is trying
more than once per second or more than 10 times a minute, you've got a
problem), even 30 bits of entropy is *plenty*.  Rate limited to 10 guesses/min,
30 bits of entropy will still take an average of 102 years or so to walk
through.  And if you got something woodpeckering 10 guesses/min at you
for weeks on end and fail to notice, you got *bigger* problems.

Besides, in a world where an estimated 140 million computers have been
zombied and potentially have keystroke loggers installed, the entropy
of a password means exactly *zero*.  Squat. Nothing. Doesn't matter in
the slightest.

In my opinion, people who are still worrying about password strength beyond
"make it at least 7-8 characters, and don't make it something a friend can
easily guess (no GF/dogs names, etc)" in today's computing environment are
trying to fix the wrong problem(s).

Attachment: _bin
Description: