| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <44299156.1040404@csuohio.edu> Date: Tue Mar 28 20:42:14 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Subject: Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time) > Well, but in the example passphrase you chose above (and adding 4 for and > 5 for s), there are 20 potentially leet chars. To specify each one as being > either normal or leetified would add 20 bits of entropy. If you assume the > biggest threat against a complex passphrase like that is an advanced > dictionary-based attack (combining multiple words and then testing > leet-ified and number pre/post-fixed variations), then we just multiplied > the cost of bruting it by 2^20. I reckon that's a worthwhile multiplier! Most password crackers (notably L0pht) can do "common character substituion" tests in conjunction with a wordlist -- thus, 'l33t1fy1ng' your passwords is a pretty poor defense. Michael Holstein CISSP GCIA Cleveland State University
Powered by blists - more mailing lists