lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2df3b0cb0803121245h6417b913ka237ab466c5d7b71@mail.gmail.com>
Date: Wed, 12 Mar 2008 16:45:01 -0300
From: M.B.Jr. <marcio.barbado@...il.com>
To: jf <jf@...glingpointers.net>
Cc: Full-Disclosure mailing list <full-disclosure@...ts.grok.org.uk>
Subject: Re: Diceware method adoption - brute force me if
	you dare

jf,

if your analogy was somehow decent, it would consider the police
giving citizens some shotguns since the Diceware dictionary is freely
available for download.




On Wed, Mar 12, 2008 at 11:49 PM, jf <jf@...glingpointers.net> wrote:
> police officers (in the states) wear bullet proof vests because there is a
>  high probability of them getting shot/shot at, do you think that somehow makes it legal?
>
>
>  On Wed, 12 Mar 2008, M.B.Jr. wrote:
>
>  > Date: Wed, 12 Mar 2008 16:15:56 -0300
>  > From: M.B.Jr. <marcio.barbado@...il.com>
>  > To: Full-Disclosure mailing list <full-disclosure@...ts.grok.org.uk>
>  > Subject: [Full-disclosure] Diceware method adoption - brute force me if you
>  >     dare
>
>
> >
>  > Dear list,
>  > I was studying this passphrase creation method called Diceware:
>  >
>  > http://world.std.com/~reinhold/diceware.html
>  >
>  > In it, one rools a common dice five times, write down the results, in
>  > a sequential manner,  and then check the suggested word in the
>  > DICTIONARY they provide.
>  > You got that? The method is supposed to give the user the words to use.
>  >  Say your results were "5;6;1;5;3", then you check their table and the
>  > word listed under that number sequence is "sus"; well, that's the
>  > (pretty short) word to use in your passphrase.
>  > A 46,656 (6^6) word dictionary, publicly available. The method is
>  > clearly one bad choice for password creation but it's fairly
>  > acceptable for obtaining passphrases and concerning the latter, it
>  > assumes that eventual attackers know the referred dictionary, however
>  > offering a low guessing probability (high information entropy) for
>  > passphrases.
>  >
>  > Despite the "rite of passage" idea in which the target stops trying to
>  > hide and starts expecting attacks as a certainty, my point here is
>  > legal.
>  > Doesn't adopting the Diceware method in a, say, government corporative
>  > environment means legalizing brute force attacks?
>  >
>  > Yours faithfully,
>  >
>  >
>  >
>  >
>



-- 
Marcio Barbado, Jr.

"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ