[clug] [OT] all text passwords == secure?

jm jeffm at ghostgun.com
Mon Aug 27 17:29:05 MDT 2012

On 27/08/12 11:31 PM, steve jenkin wrote:
> The ArsTechnica article points out the crackers already model these
> schemes and have dictionaries with good coverage, derived from the
> millions of real-world passwords that've been stolen. I was surprised
> that 5/6 characters are 'brute-force' crackable on low-cost equipment
> and 8/9 with large-scale ('cloud'). The 6/7 range is the 'sweet spot'
> for Rainbow codes...

Wouldn't this be a better measure of password security rather than
permutations or estimated entropy? How about modelling the methods used
by the state-of-the-art password cracker and giving an estimate of how
long it would take to crack the password to the user? Rather than saying
you need a number, an upper case letter, a this or that which the user
will just try to work around or stating "weak", "medium", "strong", or
"very strong"; Say estimated time to crack password is X days. Should
scare the user into changing their password to something better and
understanding the threat.

Yes, I know your limited by what the vendor choose to give you.


More information about the linux mailing list