[clug] [OT] all text passwords == secure?

Sam Couter sam at couter.id.au
Mon Aug 27 06:54:14 MDT 2012

Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
> Unfortunately some people have difficulty understanding a very basic
> concept - it doesn't matter if the password is composed of one word, or
> twenty - *if it's composed of words it's vulnerable to a dictionary attack*.

I think you've missed something here, and that's the size of the set of
words from which you're selecting the password compared with the size of
the character set you're using.

If we assume around 131,000 (2^17) words in English, four randomly
selected words is way better than an 8 character extended ASCII password
which is used by nobody ever and it's easier to remember. Three words is
about the same as a more normal password using only printable ASCII.

Longer combinations of words are much less vulnerable.

I don't know whether 131,000 is a fair count of the number of English
words. Adjust numbers according to your method of counting.

> Simply adding one non-alpha character somewhere (preferably *not* at the
> end of the password, preferably not a number) will render a dictionary
> attack useless. Now entropy is applicable to determining the difficulty
> of guessing the password.

Your extra character has added a few bits (depending on how random your
selection of character and position is) and makes the password much
harder to remember. I'm not saying don't do it, I'm saying don't
overestimate the strength you've added compared to the difficulty of
remembering it. Consider just adding another word instead.

> That's where typing:-
> "SiteNameRecipesMango"
> hitting the Home key followed by one press of the right-arrow and
> entering the glyph works.

This is fantasy - in the real world people have to use systems where
it's difficult or impossible to make cursor keys work right.

> Idiots[*1] on the back-end are a problem. I don't 'believe' passwords
> should be directly handled by the application

More fantasy? Authentication is pretty integral to most applications
because authorisation is integral to them.
Sam Couter         |  mailto:sam at couter.id.au
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/linux/attachments/20120827/3b424d08/attachment.pgp>

More information about the linux mailing list