Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time)

["Dave Korn" <davek_throwaway () hotmail com>]

Valdis.Kletnieks () vt edu wrote:
> > And a password/passphrase meeting all requirements above and being at 
> > least
> > 20 chars long isn't very usable.
>
> On the other hand, "My unckle Fred's purple iguane has a wart on its 
> eyelid."
> is 57 characters long and gets you at least fairly close to 128 bits of
> entropy.  More if you randomly insert a special character or three.
>
> (As an aside, note that wr17ing 1t in '1337 sty1e doesn't add much 
> entropy -
> only about 1 bit of entropy (since all you need to do is record "was it an
> o or a 0", or "1 or l" or '3 or e' and so on.  Random injection of special
> characters, such as 'igu#ana' adds more entropy....

  Well, but in the example passphrase you chose above (and adding 4 for and 
5 for s), there are 20 potentially leet chars.  To specify each one as being 
either normal or leetified would add 20 bits of entropy.  If you assume the 
biggest threat against a complex passphrase like that is an advanced 
dictionary-based attack (combining multiple words and then testing 
leet-ified and number pre/post-fixed variations), then we just multiplied 
the cost of bruting it by 2^20.  I reckon that's a worthwhile multiplier!

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/