| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Mar 28 20:02:59 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: guidelines for good password policy
andmaintenance / user centric identity with single passwords
(or asmall number at most over time)
Valdis.Kletnieks@...edu wrote:
>> And a password/passphrase meeting all requirements above and being at
>> least
>> 20 chars long isn't very usable.
>
>On the other hand, "My unckle Fred's purple iguane has a wart on its
>eyelid."
>is 57 characters long and gets you at least fairly close to 128 bits of
>entropy. More if you randomly insert a special character or three.
>
>(As an aside, note that wr17ing 1t in '1337 sty1e doesn't add much
>entropy -
>only about 1 bit of entropy (since all you need to do is record "was it an
>o or a 0", or "1 or l" or '3 or e' and so on. Random injection of special
>characters, such as 'igu#ana' adds more entropy....
Well, but in the example passphrase you chose above (and adding 4 for and
5 for s), there are 20 potentially leet chars. To specify each one as being
either normal or leetified would add 20 bits of entropy. If you assume the
biggest threat against a complex passphrase like that is an advanced
dictionary-based attack (combining multiple words and then testing
leet-ified and number pre/post-fixed variations), then we just multiplied
the cost of bruting it by 2^20. I reckon that's a worthwhile multiplier!
cheers,
DaveK
--
Can't think of a witty .sigline today....
Powered by blists - more mailing lists