1 |
On Wed, 11 Jan 2012 18:09:40 -0500 |
2 |
"Mike Edenfield" <kutulu@××××××.org> wrote: |
3 |
|
4 |
> > I agree. Longer pass{words,phrases} only increases the difficulty |
5 |
> > of the problem, but not significantly so. |
6 |
> |
7 |
> After I read the aforementioned xkcd comic, my main question was how |
8 |
> he defined the various bits of entropy for each "thing" done to a |
9 |
> password. That seemed to be a crucial determining factor in why the |
10 |
> "common words" password appeared so much harder than the "goofy |
11 |
> gibberish" one. Some seemed more obvious to me than others. |
12 |
> |
13 |
> I'm also curious, using the latest modern password-cracking |
14 |
> techniques, if his assessment really is accurate. As in, which of the |
15 |
> following two passwords would take longer to crack: |
16 |
> |
17 |
> #purpl3.R$!n# |
18 |
> |
19 |
> dovesymbolcarprince |
20 |
|
21 |
Interesting questions. Randall doesn't provide answers so though. I |
22 |
suppose he knows his audience and assumes we'll understand the gist of |
23 |
what he's getting at and not demand full proof from him - it's his |
24 |
comic, not his PhD thesis :-) |
25 |
|
26 |
I noticed something about your first sample password, and it reveals a |
27 |
lot, I hinted at it in my reply to Dale. Look at the pattern one must |
28 |
type to enter that password (assuming a qwerty keyboard): |
29 |
|
30 |
A symbol, a partial word, then 7 nonsense symbols. The pattern of those |
31 |
symbols is highly significant - composed entirely of keystrokes in the |
32 |
upper left area and lower right area of the keyboard with a few Shifts |
33 |
thrown in for good measure. Almost as if you dropped both hands on the |
34 |
keyboard and wiggled your fingers without moving the entire hand much. |
35 |
|
36 |
How much entropy? A truck load less than you think! |
37 |
|
38 |
And how often do you think people will do that (or something similar) |
39 |
when creating passwords? How easy will it be for a dev with a clue to |
40 |
write cracker software that takes such biases |
41 |
into account? |
42 |
|
43 |
The second example looks better - four words that have no obvious |
44 |
connection with each other and will not usually be found together. |
45 |
Hence not much in the way of predictable pattern that I can see. |
46 |
|
47 |
Personally, I advocate using smart password generators like apg. The |
48 |
password truly is a random distribution of junk, but one that can be |
49 |
pronounced (a key factor in remembering it). It's not too hard to |
50 |
expand that to also use whole words, then you'd get a passphrase |
51 |
without your own inherent bias in it. Just be careful that you don't |
52 |
end up with a password containing the *developer's* own inherent |
53 |
bias :-) |
54 |
|
55 |
|
56 |
-- |
57 |
Alan McKinnnon |
58 |
alan.mckinnon@×××××.com |