1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
lo, |
5 |
|
6 |
On Wednesday 18 January 2006 04:09, Marius Mauch wrote: |
7 |
> Well, hard to say what would be more secure, |
8 |
|
9 |
that is certainly true. |
10 |
|
11 |
> just pointing out that |
12 |
> 12*[a-zA-Z] offers about 10.000-100.000 times more combinations than |
13 |
> 8*[a-zA-Z0-9<special-chars>]: |
14 |
> 52^12 = 390,877,006,486,250,192,896 ~ 3.9*10^20 |
15 |
> 95^8 = 6,634,204,312,890,625 ~ 6.6*10^15 |
16 |
> (assuming 33 special chars, could be a few more or less). |
17 |
> |
18 |
> And for completeness: |
19 |
> 52^8 = 53,459,728,531,456 ~ 5.3*10^13 |
20 |
> 95^12 = 540,360,087,662,636,962,890,625 ~ 5.4*10^23 |
21 |
> |
22 |
> As said, that doesn't relate to practical security, just shows that in |
23 |
> theory changing the password length does more in terms of complexity |
24 |
> than changing the set of allowed chars. |
25 |
> And every combinational restriction added again decreases the |
26 |
> complexity. |
27 |
|
28 |
Very true, but it also works with minimum length as well. Consider that if you |
29 |
FORCE users to use a passphrase (say min length of 15 chars) then with very |
30 |
few exceptions they will just use recognisable dictionary words. So while the |
31 |
theoretical amount of possibilities is a lot higher, in reality a well |
32 |
written brute force application would find it no harder in practise to |
33 |
compromise the passwords. If you are concerned about password security then |
34 |
get away from it. Look at something like : |
35 |
|
36 |
http://www.wikidsystems.com |
37 |
|
38 |
|
39 |
I'm going to try and get it into the tree over the next few weeks. |
40 |
|
41 |
- -- |
42 |
Benjamin Smee (strerror) |
43 |
crypto/forensics/netmail/netmon |
44 |
-----BEGIN PGP SIGNATURE----- |
45 |
Version: GnuPG v1.9.20 (GNU/Linux) |
46 |
|
47 |
iD8DBQFDzjL4AEpm7USL54wRAswXAKCHbfOU2yjgULabODq9mMMQyhMnyQCdFrf3 |
48 |
0utBEgSSiWTJKbgM/ESLguk= |
49 |
=IcDn |
50 |
-----END PGP SIGNATURE----- |
51 |
-- |
52 |
gentoo-server@g.o mailing list |