lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAOe4Uin-RROWJu=YMgE-R109XEmNfEgbEQQuTb5Ly+2G=tyC9w@mail.gmail.com>
Date: Wed, 27 Nov 2013 15:47:40 -0700
From: Joseph Bonneau <jbonneau@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] CJK character sets

I wrote a research paper with Rubin Xu on this topic last year using some
leaked datasets of Chinese and Hebrew speaking users:
http://www.jbonneau.com/doc/BX12-W2SP-passwords_character_encoding.pdf

There are many tidbits in there for those interested but the main point, as
suspected by Rich, is that very few Chinese speakers use any non-ASCII
characters in their passwords (and they do use decimal digits much more
frequently). Most of these users now use a Pinyin input system with
graphicl feedback for disambiguation which is disabled for password fields
to prevent shoulder-surfing, so inputting these characters would require
pasting characters from another text field.

It seems that Chinese users don't produce a stronger distribution of
passwords, though we could use more evidence. In any case there shouldn't
be significant implications for the PHC; any candidate should handle
arbitrary binary input and therefore any string of UTF-8.

Cheers,

Joe


On Wed, Nov 27, 2013 at 1:58 PM, Krisztián Pintér <pinterkr@...il.com>wrote:

>
>
> remembering 8 idiograms is identical to remembering 8 words. it is
> perfectly doable, although most people just does not want to do it. an
> english word typically has the entropy of around 11-12 bits,
> which is identical to 2000-4000 idiograms. it is not a surprise, words
> are words, some languages has a little more, some a little less, but
> not that much different.
>
> typing idiograms requires 2-3 button presses, and that is a great
> advantage over typing the entire word. but with the caveat that most
> interfaces help with the options, so you don't have to remember the
> combinations. this is of course unacceptable with passwords.
>
> so i would say, chinese are not at an advantage, even if the system is
> designed around idiograms.
>
> but it points into the direction, which i think is right, of using
> random words as passwords, and possibly having a system to shorten
> them to save typing. it is more human than remembering characters. (i
> hope everyone knows the obligatory xkcd: http://xkcd.com/936/ )
>
>
>
> Marsh Ray (at Wednesday, November 27, 2013, 9:17:44 PM):
>
> > Having fluency in an alphabet orders of magnitude larger than our
> > tiny Western alphabets surely changes the password strength problem.
> > I would expect that it would make it easier to create and remember
> > strong entropy. A short 8-character  password in a Western script
> > could perhaps be more like a pass phrase in Chinese-based script.
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ