Full Disclosure mailing list archives
Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time)
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Tue, 28 Mar 2006 20:02:16 +0100
Valdis.Kletnieks () vt edu wrote:
And a password/passphrase meeting all requirements above and being at least 20 chars long isn't very usable.On the other hand, "My unckle Fred's purple iguane has a wart on its eyelid." is 57 characters long and gets you at least fairly close to 128 bits of entropy. More if you randomly insert a special character or three. (As an aside, note that wr17ing 1t in '1337 sty1e doesn't add much entropy - only about 1 bit of entropy (since all you need to do is record "was it an o or a 0", or "1 or l" or '3 or e' and so on. Random injection of special characters, such as 'igu#ana' adds more entropy....
Well, but in the example passphrase you chose above (and adding 4 for and 5 for s), there are 20 potentially leet chars. To specify each one as being either normal or leetified would add 20 bits of entropy. If you assume the biggest threat against a complex passphrase like that is an advanced dictionary-based attack (combining multiple words and then testing leet-ified and number pre/post-fixed variations), then we just multiplied the cost of bruting it by 2^20. I reckon that's a worthwhile multiplier! cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) coderman (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) James Longstreet (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)
- Re: guidelines for good password policyand maintenance / user centric identity with single passwords(or a small number at most over time) <...> (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Gareth Davies (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Valdis . Kletnieks (Mar 26)
- Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time) Dave Korn (Mar 28)
- Re: Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time) Michael Holstein (Mar 28)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) James Longstreet (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)