lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e0c17p$ofu$1@sea.gmane.org>
Date: Tue Mar 28 20:02:59 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: guidelines for good password policy
	andmaintenance / user centric identity with single passwords
	(or asmall number at most over time)

Valdis.Kletnieks@...edu wrote:
>> And a password/passphrase meeting all requirements above and being at 
>> least
>> 20 chars long isn't very usable.
>
>On the other hand, "My unckle Fred's purple iguane has a wart on its 
>eyelid."
>is 57 characters long and gets you at least fairly close to 128 bits of
>entropy.  More if you randomly insert a special character or three.
>
>(As an aside, note that wr17ing 1t in '1337 sty1e doesn't add much 
>entropy -
>only about 1 bit of entropy (since all you need to do is record "was it an
>o or a 0", or "1 or l" or '3 or e' and so on.  Random injection of special
>characters, such as 'igu#ana' adds more entropy....

  Well, but in the example passphrase you chose above (and adding 4 for and 
5 for s), there are 20 potentially leet chars.  To specify each one as being 
either normal or leetified would add 20 bits of entropy.  If you assume the 
biggest threat against a complex passphrase like that is an advanced 
dictionary-based attack (combining multiple words and then testing 
leet-ified and number pre/post-fixed variations), then we just multiplied 
the cost of bruting it by 2^20.  I reckon that's a worthwhile multiplier!

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ