[clug] [OT] all text passwords == secure?
Peter Barker
pbarker at barker.dropbear.id.au
Tue Aug 28 04:16:54 MDT 2012
On Tue, 28 Aug 2012, Scott Ferguson wrote:
> A dictionary attack is too easy - and it's the first attack tried. Add
> just one non alpha character to that multi word string and only brute
> force will guess it - then you have a much harder password to break.
> Much, much harder.
Agreed. Pure dictionary-based attacks not possible then.
> Longer *numbers* of word are *less* vulnerable than shorter *numbers* of
> words.
>
> What you are missing is that the XKCD strip is being interprete to mean
> that number of words (total of 25 characters) is *less* vulnerable to a
> brute force (try all 218 characters) attack on 8 mixed character. It is.
> What the strip misses is that in real life (not a comic strip) an attack
> would *not* be brute force - it'd be a dictionary attack.
Hmmm.
I think you might be misrepresenting Randal here. He is only ascribing 11
bits of entropy per word. I believe he is *assuming* people are going to
do a dictionary attack against it, and that they know you are using a
dictionary list - and which one.
You can read him "defending" the webcomic here:
http://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so
So. Let's say I want a password of 4 words, and I'm willing to use
*anything* picked out of /etc/dictionaries-common/words
pbarker at eccles:~$ echo "$(wc -l /etc/dictionaries-common/words | cut -f 1
-d ' ')^4" | bc
94397697714928713121
pbarker at eccles:~$
pbarker at eccles:~$ echo "2^44" | bc
17592186044416
pbarker at eccles:~$
Looks within spitting distance. He was using a 30,000 word estimate, I
think.
pbarker at eccles:~$ echo "30000^4" | bc
810000000000000000
pbarker at eccles:~$
> Do you get the point where the extra non alpha character *forces* a
> brute force attack? Whereas without it entropy doesn't apply because
> entropy is a measure of randomness - which does *not* apply to
> dictionary attacks.
Oh yes, adding some punctuation is a great idea. It's not hard - just
insert an extra swearword somewhere and censor yourself ;-) (nb: this is
*not* actually a technique I use (and, on reflection, not a good one...)).
Yours,
--
Peter Barker | Programmer,Sysadmin,Geek.
pbarker at barker.dropbear.id.au | You need a bigger hammer.
:: It's a hack! Expect underscores! - Nigel Williams
More information about the linux
mailing list