Re: Password Cracking

From: Bill Unruh (unruh@string.physics.ubc.ca)
Date: 01/25/03 

From: unruh@string.physics.ubc.ca (Bill Unruh)
Date: 25 Jan 2003 21:03:21 GMT

"Lohkee" <Lohkee@worldnet.att.net> writes:

]"Ernst-Udo Wallenborn" <ernst-udo.wallenborn@freenet.de> wrote in message
]news:s5l65se19s5.fsf@dilbert.pointyhairedbosses.de...
]>
]> "Mark H. Wood" <mwood@mhw.ULib.IUPUI.Edu> writes:
]>
]> > I think we have a case of violent agreement here. One side correctly
]> > points out that, *if all points in the keyspace have an equal
]> > probability of being chosen*, then decreasing the size of the total
]> > keyspace increases the chances of correct guessing. The other side
]> > correctly points out that *the observed behavior does not show an
]> > equal probability of choice over the entire keyspace* -- the portion
]> > of keyspace which is actually used is a very small subset of "all
]> > points", and argues that removing these highly popular points tends to
]> > disperse the actual choices.
]>
]>
]> I violently agree.
]>
]> Ernst-Udo Wallenborn

]I violently disagree (sorry Ernst-Udo - I just couldn't resist)! I have
]never had a problem with removing the "highly popular" points; it is
]***how*** they are removed which concerns me. Enforcing, for example, a nine
]char password - or greater - automatically eliminates a very large portion
]of popular words in most languages *and* creates a very large pool of
]possibilities.

]My position is that password cracking (which is the subject of this
]particular thread) is not the way to go for the numerous reasons outlined
]in my original paper (rebuttals to the which have been largely avoided),
]and, that rules to systemically enforce the use of strong passwords should
]be very carefully analyzed to make sure they, in fact, have the desired
]result.

I have never understood password hacking on one's own system. You can
read the cleartext password via your program which sets the password.
You can then insist that that password is sufficiently "random" (ie
selected from a category of passwords which hackers are unlikely to try
early one in their attempts.)
As stated above, while fascist password programs do restrict the number
of passwords, they usually do so by a negligible fraction of the total.
(eg outlawing .001% of the passwords makes no difference to the
"strength" of the remainder), and they usually do so by removing
passwords which hackers are likely to try first (eg dictionary words,
etc.) Thus the resistance to hacker attack is vastly increased.
The main less in any battle is "know your enemy".