Educause Security Discussion mailing list archives
Re: password vs pass-phrase (was: Are users right in rejecting security advice?)
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 18 Mar 2010 09:42:46 -0400
On Wed, 17 Mar 2010 21:03:28 PDT, Eric Case said:
Is it obvious to a brute force password cracker? If we assume the password hash has not be compromised and a key logger was not used, is it obvious that four score and seven years ago is an awful choice? Based on how the U of Arizona implemented NIST SP800-63, the above password/passphrase would score 53 bits of entropy. 4 score and 7 years ago Would only score 48 bits of entropy even though it uses three character classes and the first one only uses two classes.
Assuming proper configuration that rate-limits guesses (if somebody is trying more than once per second or more than 10 times a minute, you've got a problem), even 30 bits of entropy is *plenty*. Rate limited to 10 guesses/min, 30 bits of entropy will still take an average of 102 years or so to walk through. And if you got something woodpeckering 10 guesses/min at you for weeks on end and fail to notice, you got *bigger* problems. Besides, in a world where an estimated 140 million computers have been zombied and potentially have keystroke loggers installed, the entropy of a password means exactly *zero*. Squat. Nothing. Doesn't matter in the slightest. In my opinion, people who are still worrying about password strength beyond "make it at least 7-8 characters, and don't make it something a friend can easily guess (no GF/dogs names, etc)" in today's computing environment are trying to fix the wrong problem(s).
Attachment:
_bin
Description:
Current thread:
- password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)