[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2df3b0cb0803121245h6417b913ka237ab466c5d7b71@mail.gmail.com>
Date: Wed, 12 Mar 2008 16:45:01 -0300
From: M.B.Jr. <marcio.barbado@...il.com>
To: jf <jf@...glingpointers.net>
Cc: Full-Disclosure mailing list <full-disclosure@...ts.grok.org.uk>
Subject: Re: Diceware method adoption - brute force me if
you dare
jf,
if your analogy was somehow decent, it would consider the police
giving citizens some shotguns since the Diceware dictionary is freely
available for download.
On Wed, Mar 12, 2008 at 11:49 PM, jf <jf@...glingpointers.net> wrote:
> police officers (in the states) wear bullet proof vests because there is a
> high probability of them getting shot/shot at, do you think that somehow makes it legal?
>
>
> On Wed, 12 Mar 2008, M.B.Jr. wrote:
>
> > Date: Wed, 12 Mar 2008 16:15:56 -0300
> > From: M.B.Jr. <marcio.barbado@...il.com>
> > To: Full-Disclosure mailing list <full-disclosure@...ts.grok.org.uk>
> > Subject: [Full-disclosure] Diceware method adoption - brute force me if you
> > dare
>
>
> >
> > Dear list,
> > I was studying this passphrase creation method called Diceware:
> >
> > http://world.std.com/~reinhold/diceware.html
> >
> > In it, one rools a common dice five times, write down the results, in
> > a sequential manner, and then check the suggested word in the
> > DICTIONARY they provide.
> > You got that? The method is supposed to give the user the words to use.
> > Say your results were "5;6;1;5;3", then you check their table and the
> > word listed under that number sequence is "sus"; well, that's the
> > (pretty short) word to use in your passphrase.
> > A 46,656 (6^6) word dictionary, publicly available. The method is
> > clearly one bad choice for password creation but it's fairly
> > acceptable for obtaining passphrases and concerning the latter, it
> > assumes that eventual attackers know the referred dictionary, however
> > offering a low guessing probability (high information entropy) for
> > passphrases.
> >
> > Despite the "rite of passage" idea in which the target stops trying to
> > hide and starts expecting attacks as a certainty, my point here is
> > legal.
> > Doesn't adopting the Diceware method in a, say, government corporative
> > environment means legalizing brute force attacks?
> >
> > Yours faithfully,
> >
> >
> >
> >
>
--
Marcio Barbado, Jr.
"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists