Firewall Wizards mailing list archives
Re: Re[2]: password aging
From: "Ryan Russell" <ryanr () sybase com>
Date: Wed, 2 Sep 1998 16:17:16 -0700
This occured to me as well. The obvious counter-argument
is that (assuming that it doesn't just generate them, but
forces them on people, and they can't pick their own) this
eliminates the much more stupid choices people will make
if given an opportunity.
It's probably not really fair to compare 18 million choices
with 309 million. It's more realistic to compare 18 million
with 50,000. This assumes a list of hashes that represent
some representative size group of people.
Of course, it's all moot, since many implementations would
have the worst of all possible worlds... FIPS generated passwords
that the user writes on a sticky, or manually changes to
"password.":)
Seriously though... 18 million to choose from, if the user
isn't allowed to pick their own, is a big improvement
over people being able to choose from the dictionary.
Ryan
Section 2.4 cites that the algorithm is capable of producing
"approximately 18 million 6-character" passwords; compare this with
the set of 309 million lowercase 6-character passwords, and we see
that the lack of entropy in the output has reduced the search space to
about 5% of it's original size.
Current thread:
- Re: password aging Paul McNabb (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- <Possible follow-ups>
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
- Re: password aging Stephen P. Gibbons (Sep 06)