[clug] [OT] all text passwords == secure?

steve jenkin sjenkin at canb.auug.org.au
Tue Aug 28 01:58:28 MDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Satrapa wrote on 28/08/12 10:29 AM:

> You think the specific example of “Mydogsandy” is a really bad 
> example? Why?

1. because it has low variance.

2. because it isn't derived systematically, you can't quantify it's
guessability

3. Humans, especially "The Great Unwashed Public", have remarkably
similar 'random' or 'creative' choices: they choose from small
dictionaries.

4. The cognitive bias introduced by the example phrase. Having been
'primed' people are much more likely to think in a straight-jacket.
eg. Our-cat-Cuddles, Your-moose-bert, their-rat-beaver, ...

5. Only one example, and hence one formula was given. Reasonable
pedagogy suggests a minimum of three examples using different
'formulas' to overcome 4.

6. But mostly, it's only *3* words (from limited dictionary/symbol set)
   IIRC, Diceware goes for 5. Around a 12-24 months to break currently.

The example given of 'diceware', or the passphrases that something
like s/key can generate, come from large enough dictionaries to be
useful and are either generated by an algorithmn that's been
crypto-analysed (hard to reverse) or something close to random
(throwing dice).

Not happy with my answer?

Then I'd like you to prove I'm wrong.
That is, derive a supportable number of attempts to crack, not hand wave.

For me to do that, I'd have to assert the dictionary sizes of each of
the three parts of the 'formula' suggested. I don't have the
real-world lists that have been cracked, maybe you know them.

Easy to say "use three words", hence multiply (three) dictionary sizes
together.

Less easy to say how many different formulas a Reasonable User might
choose from. What percentage would just swap around Pronoun-Pet-Name?

Note: you *cannot* use the ~7500-wd dictionary of Diceware as the
number you're going to raise to a power, because the article didn't
point to it and it isn't reasonable to suggest a Normal Untutored User
would think to look for such a thing.

IIRC, the article didn't suggest any dictionaries to use.


- -- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlA8eiQACgkQ37crV0tItuuuGACfVl4XFwqOVVd3/QM07W2SwxSF
q0MAnitnpUjOfBtwZFbHgPEUXy1dwI/c
=0he+
-----END PGP SIGNATURE-----

More information about the linux mailing list