Re: Length vs Complexity



I personally base password strength off the bit strength (entropy) of the password, as well as not selecting dictionary words. In the case of your passwords, "Security.Basics.List" is 92 bits (there are 2^92 possibilities if someone was to attempt a brute force). In comparison, "D*3ft!7z" is 51 bits.

In a brute force attack the shorter password would come out second best, although keep in mind factors like dictionary attacks etc. can speed up guesses of common words.


On 17/09/2010 1:01 AM, Mike Razzell wrote:
Users hear constantly that they should add complexity to their
passwords, but from the math of it doesn't length beat complexity
(assuming they don't just choose a long word)? This is not to suggest
they should not use special characters, but simply that something like
Security.Basics.List would provide better security than D*3ft!7z. Is
that correct?

Thanks,
-Mike



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------