lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.0803130248290.32738@localhost.localdomain>
Date: Thu, 13 Mar 2008 02:49:27 +0000 (UTC)
From: jf <jf@...glingpointers.net>
To: "M.B.Jr." <marcio.barbado@...il.com>
Cc: Full-Disclosure mailing list <full-disclosure@...ts.grok.org.uk>
Subject: Re: Diceware method adoption - brute force me if
 you dare

police officers (in the states) wear bullet proof vests because there is a
high probability of them getting shot/shot at, do you think that somehow makes it legal?


On Wed, 12 Mar 2008, M.B.Jr. wrote:

> Date: Wed, 12 Mar 2008 16:15:56 -0300
> From: M.B.Jr. <marcio.barbado@...il.com>
> To: Full-Disclosure mailing list <full-disclosure@...ts.grok.org.uk>
> Subject: [Full-disclosure] Diceware method adoption - brute force me if you
>     dare
>
> Dear list,
> I was studying this passphrase creation method called Diceware:
>
> http://world.std.com/~reinhold/diceware.html
>
> In it, one rools a common dice five times, write down the results, in
> a sequential manner,  and then check the suggested word in the
> DICTIONARY they provide.
> You got that? The method is supposed to give the user the words to use.
>  Say your results were "5;6;1;5;3", then you check their table and the
> word listed under that number sequence is "sus"; well, that's the
> (pretty short) word to use in your passphrase.
> A 46,656 (6^6) word dictionary, publicly available. The method is
> clearly one bad choice for password creation but it's fairly
> acceptable for obtaining passphrases and concerning the latter, it
> assumes that eventual attackers know the referred dictionary, however
> offering a low guessing probability (high information entropy) for
> passphrases.
>
> Despite the "rite of passage" idea in which the target stops trying to
> hide and starts expecting attacks as a certainty, my point here is
> legal.
> Doesn't adopting the Diceware method in a, say, government corporative
> environment means legalizing brute force attacks?
>
> Yours faithfully,
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ