Re: FAQ: How can I generate good strong passwords?
From: John Navas (spamfilter0_at_navasgroup.com)
Date: 10/13/05
- Next message: John Hyde: "Re: OT question about small office server"
- Previous message: John Navas: "Re: FAQ: How can I generate good strong passwords?"
- In reply to: William P. N. Smith: "Re: FAQ: How can I generate good strong passwords?"
- Next in thread: Unruh: "Re: FAQ: How can I generate good strong passwords?"
- Reply: Unruh: "Re: FAQ: How can I generate good strong passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Oct 2005 18:11:35 GMT
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
In <o55tk1pr1hs7slalpjqvu2lc8k5kpvnsao@4ax.com> on Thu, 13 Oct 2005 13:21:29
-0400, William P. N. Smith <> wrote:
>John Navas <spamfilter0@navasgroup.com> wrote:
>>-0700, "Alun Jones" <alun@texis.invalid> wrote:
>>>If it's a "try common words in the English language" attack, many
>>>letter-based passphrases will be broken before a relatively short hex-based
>>>passphrase will.
>
>>Only if the letter-based passphrases are short -- see
>><http://groups.google.com/group/alt.internet.wireless/msg/2fd501974faf9ae4?hl=en>
>>for thorough background. The recommendation for letter-based passphrases is
>>that they be over 20 characters.
>
>But then we come full circle. Passphrases not in the dictionary take
>a really long time to break, even if they are only 8 characters long.
>Made-up words, deleborateily miespeeelehd werdes, acronyms, and
><word><symbol><word> conglomerations are pretty secure,
Another false sense of security: There's no way to know in advance and thus
avoid what is or is not in the dictionary, so what you propose is thus just a
guess. Worse, since the attack can be mounted offline, a brute force attack
might well succeed. There's no good reason to take any unnecessary risk,
since a good passphrase is so easy to generate.
>though not as
>secure as random letter combinations, which in turn are not as secure
>as truly random hex keys.
The drawback to those approaches are that the resulting keys are hard to
remember and to use, which tends to encourage the kind of sloppiness that can
compromise any system, no matter how robust. Better to use something secure
that is still relatively easy to remember. Hence the recommendation to use
word-based passphrases of more than 20 characters; e.g., "floor hiking dirt
ocean", which is much easier to memorize than a "random" string yet still very
robust.
-- Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES: John Navas <http://navasgrp.home.att.net/#Cingular>
- Next message: John Hyde: "Re: OT question about small office server"
- Previous message: John Navas: "Re: FAQ: How can I generate good strong passwords?"
- In reply to: William P. N. Smith: "Re: FAQ: How can I generate good strong passwords?"
- Next in thread: Unruh: "Re: FAQ: How can I generate good strong passwords?"
- Reply: Unruh: "Re: FAQ: How can I generate good strong passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
