lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 12 Mar 2008 16:15:56 -0300
From: M.B.Jr. <marcio.barbado@...il.com>
To: "Full-Disclosure mailing list" <full-disclosure@...ts.grok.org.uk>
Subject: Diceware method adoption - brute force me if you
	dare

Dear list,
I was studying this passphrase creation method called Diceware:

http://world.std.com/~reinhold/diceware.html

In it, one rools a common dice five times, write down the results, in
a sequential manner,  and then check the suggested word in the
DICTIONARY they provide.
You got that? The method is supposed to give the user the words to use.
 Say your results were "5;6;1;5;3", then you check their table and the
word listed under that number sequence is "sus"; well, that's the
(pretty short) word to use in your passphrase.
A 46,656 (6^6) word dictionary, publicly available. The method is
clearly one bad choice for password creation but it's fairly
acceptable for obtaining passphrases and concerning the latter, it
assumes that eventual attackers know the referred dictionary, however
offering a low guessing probability (high information entropy) for
passphrases.

Despite the "rite of passage" idea in which the target stops trying to
hide and starts expecting attacks as a certainty, my point here is
legal.
Doesn't adopting the Diceware method in a, say, government corporative
environment means legalizing brute force attacks?

Yours faithfully,



-- 
Marcio Barbado, Jr.

"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ