Re: Password Cracking
From: Mark H. Wood (mwood@mhw.ULib.IUPUI.Edu)
Date: 01/24/03
- Next message: Mark H. Wood: "Re: Password Cracking"
- Previous message: Dave: "Why couldn't Public keys replace Passwords on the Internet?"
- In reply to: Lohkee: "Re: Password Cracking"
- Next in thread: Ernst-Udo Wallenborn: "Re: Password Cracking"
- Reply: Ernst-Udo Wallenborn: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark H. Wood" <mwood@mhw.ULib.IUPUI.Edu> Date: Fri, 24 Jan 2003 14:54:08 +0000 (UTC)
In comp.os.ms-windows.nt.admin.security Lohkee <Lohkee@worldnet.att.net> wrote:
[snip]
> first attempt. Many papers have been written on the subject of password
> length, and they all - that I know of - conclude that a longer password is
> stronger. Why? Because the odds against guessing the correct one grow as the
> numbers of possibilities are increased. We can prove this mathematically.
> No one seems to have too much difficulty with this concept. Yet, for some
> completely bizarre reason, they gag on the reverse, i.e., that the odds in
> favor of the attacker increase as the number of possibilities to choose from
> is decreased (which is completely irrational to say the least). We can also
> prove this mathematically. Security through science or security through
> superstition. We all have a choice.
I think we have a case of violent agreement here. One side correctly
points out that, *if all points in the keyspace have an equal
probability of being chosen*, then decreasing the size of the total
keyspace increases the chances of correct guessing. The other side
correctly points out that *the observed behavior does not show an
equal probability of choice over the entire keyspace* -- the portion
of keyspace which is actually used is a very small subset of "all
points", and argues that removing these highly popular points tends to
disperse the actual choices.
Hmmm, looking back over that, I think I want to see some evidence to
support the idea that people make better password choices when they
can't have what they really wanted.
Meanwhile for medium-security passwords I use a program to roll
FIPS-181 compliant passwords for me, and check them for actual words
by eye. So at least my own passwords inhabit a different and, one may
hope, larger portion of the keyspace. Maybe instead of making it
harder to choose poor passwords, we should be making it easier to
choose good ones.
-- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user".
- Next message: Mark H. Wood: "Re: Password Cracking"
- Previous message: Dave: "Why couldn't Public keys replace Passwords on the Internet?"
- In reply to: Lohkee: "Re: Password Cracking"
- Next in thread: Ernst-Udo Wallenborn: "Re: Password Cracking"
- Reply: Ernst-Udo Wallenborn: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
