Re: Password Cracking

From: Fireglyph (fireglyph@gmx.net)
Date: 01/24/03 

From: fireglyph@gmx.net (Fireglyph)
Date: 24 Jan 2003 07:45:35 -0800

"Lohkee" <Lohkee@worldnet.att.net> wrote in message news:<Wx5Y9.1226$rq4.108092@bgtnsc05-news.ops.worldnet.att.net>...
> "Fireglyph" <fireglyph@gmx.net> wrote in message
> news:3e309b54$0$3034$9b622d9e@news.freenet.de...
>
> > In other words, you're completely right that if *all* users are
> > following the advice of security experts, hackers could adjust their
> > password crackers to the entropy underlying the well-known password
> > generation scheme and suddenly former weak passwords could become
> > strong passwords - and strong passwords could become weak ones.
>
> This is precisely my point with regard to the typical rules for strong
> passwords.

I'm sorry, but now that I have thought about the problem again, I became
aware of the fact that I was talking rubbish.

We have to differentiate between *strength* and *risk*.

By definition, strength depends only on one distribution, not - as I said -
on two. That is, it depends on the entropy of the password scheme we have
chosen. For a given password scheme, the entropy doesn't change and therefore
strong passwords will always remain strong and weak passwords will always
remain weak (with regard to all possible probability distributions).

What could change though is the *risk*. Please, see my other posting which
is a reply to Mark Gordon.

Have a nice day,

Fireglyph

Relevant Pages

  • RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)
    ... When they see that you can find passwords so easily, they will start demanding better passwords. ... difficult to convince them to go much further past 6 characters. ... entropy per ... bits than DES) but not a home computer assuming MD5 is not harder than ...
    (Firewall-Wizards)
  • Re: MD5 for passwords
    ... lessen the entropy present? ... would not be such as to make the hash less secure than than passwords. ... amount of entropy. ...
    (sci.crypt)
  • Re: MD5 for passwords
    ... the hashes are publicly available. ... MD5 ten thousand times) to make dictionary search as expensive as ... lessen the entropy present? ... would not be such as to make the hash less secure than than passwords. ...
    (sci.crypt)
  • Re: ssh gives "Permission denied, please try again"
    ... possibly have enough entropy to be secure. ... as secure as those Debian generated keys... ... If you always pick passwords whose first four letters are 'A' you're ... I've seen a lot of dictionary attacks, ...
    (uk.comp.os.linux)
  • Re: MD5 for passwords
    ... Most users choose passwords with such a low ... wouldn't iterating any hash function 10000 times on a password just ... lessen the entropy present? ...
    (sci.crypt)