Firewall Wizards mailing list archives
Re: Re[2]: password aging
From: "Ryan Russell" <ryanr () sybase com>
Date: Wed, 2 Sep 1998 16:17:16 -0700
This occured to me as well. The obvious counter-argument is that (assuming that it doesn't just generate them, but forces them on people, and they can't pick their own) this eliminates the much more stupid choices people will make if given an opportunity. It's probably not really fair to compare 18 million choices with 309 million. It's more realistic to compare 18 million with 50,000. This assumes a list of hashes that represent some representative size group of people. Of course, it's all moot, since many implementations would have the worst of all possible worlds... FIPS generated passwords that the user writes on a sticky, or manually changes to "password.":) Seriously though... 18 million to choose from, if the user isn't allowed to pick their own, is a big improvement over people being able to choose from the dictionary. Ryan Section 2.4 cites that the algorithm is capable of producing "approximately 18 million 6-character" passwords; compare this with the set of 309 million lowercase 6-character passwords, and we see that the lack of entropy in the output has reduced the search space to about 5% of it's original size.
Current thread:
- Re: password aging Paul McNabb (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- <Possible follow-ups>
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
- Re: password aging Stephen P. Gibbons (Sep 06)