Re: Secure passwords?
- From: "nemo_outis" <abc@xxxxxxx>
- Date: 30 Nov 2005 20:20:15 GMT
AV <reply_to_group.nospam@xxxxxxxxxxxxx> wrote in news:Hjnjf.39378
$d5.195736@xxxxxxxxxxxxxxx:
> Which of these two passwords should be the most secure one:
>
> 1. "Jag undrar vaad som aar ett sakert"
>
> 2. "XVg6Gtzw"
>
> The first one is far more easy to understand for me since it is a
> somewhat incorrectly spelled sentence (in Swedish) whereas the other is
> 8 very cryptic characters not easy to remember.
>
> To me it the first one seems much more secure since it has so many more
> characters and therefore should take far longer to bruce force than the
> other. Dictionary attacks should also be rather useless since the words
> are incorrectly spelled and also it is a sentence and not a word. The
> sentence with similar mispellings would in English be something like:
>
> "I wooonder what iss a secuure"
>
> So what are you opinions?
>
My personal preference has always been for passphrases rather than
passwords. Because of the peculiarities of human memory it is possible to
remember a passphrase of much higher entropy than a password. For
example:
"A purple aardvark cavorts in a grotto of kumquat rinds."
This sentence, while too short, has been chosen to illustrate the
principle.
One can then "harden" the passphrase in a number of ways, such as:
Put two or three spaces between words and fill them with uncommon
characters and numbers in some half-assed memorizable pattern. For
instance:
"A1)Purple2(aardvark*3cavorts&5in^8a%13grotto%21of$34kumquat#55rinds."
(I used a very primitive pattern for illustration: top-row special
characters and the - slightly mangled - Fibonacci numbers, both in
order!)
You might also capitalize following some non-standard pattern, such as
the first and last letter of each word.
"A1)PurplE2(AardvarK*3CavortS&5IN^8A%13GrottO%21OF$34KumquaT#55RindS."
The nice thing about such passphrases is that they can often be
"assembled" in the input window just as I did above, rather than entered
directly in final form.
Now the principle in choosing passphrases says that the passphrase should
have (at least) as much entropy as the underlying algorithm (e.g., AES
128). Here's some condensed theory:
Choose words *randomly* (curb your prejudices and preferences!) from a
word list. (The average use vocabulary of an English adult is 5000 words,
the recognition vocabulary of a well-educated college graduate is perhaps
50,000 words, and the Oxford contains somewhere around 500,000 words.)
For good measure, do not count articles, prepositions, and the like in
the word total. Ten words chosen *randomly* from a list of 10,000 would
have a probability of 10000^10 or about 133 bits - that's the length of
passphrase we need (about twice as long as my illustrative one).
My fairly conservative policy (which has no theoretical support) is to
assume that the hardening roughly compensates for the loss of entropy due
to the regularity of the English sentence structure. Others may wish to
credit it either more or less.
Regards,
.
- Follow-Ups:
- Re: Secure passwords?
- From: nemo_outis
- Re: Secure passwords?
- References:
- Secure passwords?
- From: AV
- Secure passwords?
- Prev by Date: Secure passwords?
- Next by Date: Re: Secure passwords?
- Previous by thread: Secure passwords?
- Next by thread: Re: Secure passwords?
- Index(es):
Relevant Pages
|
