[clug] [OT] all text passwords == secure?

Peter Barker pbarker at barker.dropbear.id.au
Tue Aug 28 04:16:54 MDT 2012 

On Tue, 28 Aug 2012, Scott Ferguson wrote:

> A dictionary attack is too easy - and it's the first attack tried. Add
> just one non alpha character to that multi word string and only brute
> force will guess it - then you have a much harder password to break.
> Much, much harder.

Agreed.  Pure dictionary-based attacks not possible then.

> Longer *numbers* of word are *less* vulnerable than shorter *numbers* of
> words.
>
> What you are missing is that the XKCD strip is being interprete to mean
> that number of words (total of 25 characters) is *less* vulnerable to a
> brute force (try all 218 characters) attack on 8 mixed character. It is.
> What the strip misses is that in real life (not a comic strip) an attack
> would *not* be brute force - it'd be a dictionary attack.

Hmmm.

I think you might be misrepresenting Randal here.  He is only ascribing 11 
bits of entropy per word.  I believe he is *assuming* people are going to 
do a dictionary attack against it, and that they know you are using a 
dictionary list - and which one.

You can read him "defending" the webcomic here: 
http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so

So.  Let's say I want a password of 4 words, and I'm willing to use 
*anything* picked out of /etc/dictionaries-common/words

pbarker at eccles:~$ echo "$(wc -l /etc/dictionaries-common/words | cut -f 1 
-d ' ')^4" | bc
94397697714928713121
pbarker at eccles:~$
pbarker at eccles:~$ echo "2^44" | bc
17592186044416
pbarker at eccles:~$

Looks within spitting distance.  He was using a 30,000 word estimate, I 
think.
pbarker at eccles:~$ echo "30000^4" | bc
810000000000000000
pbarker at eccles:~$

> Do you get the point where the extra non alpha character *forces* a
> brute force attack? Whereas without it entropy doesn't apply because
> entropy is a measure of randomness - which does *not* apply to
> dictionary attacks.

Oh yes, adding some punctuation is a great idea.  It's not hard - just 
insert an extra swearword somewhere and censor yourself ;-)  (nb: this is 
*not* actually a technique I use (and, on reflection, not a good one...)).

Yours,
-- 
Peter Barker                          |   Programmer,Sysadmin,Geek.
pbarker at barker.dropbear.id.au	      |   You need a bigger hammer.
:: It's a hack! Expect underscores! - Nigel Williams

More information about the linux mailing list