Re: Newbie question on encryption keys



On Sat, 28 Jul 2007 02:01:26 +0200, Ertugrul Soeylemez wrote:

Ari <arisilverstein@xxxxxxxxx> (07-07-25 09:58:10):

Would you consider either of these serious passwords?

6:Q?-jiF6:Q?-jiF
6:Q?-jiFFij-?Q:6

Not really. Probably they are impractical to break for a random
attacker, but it's still safer to use a completely random string
without repetition. Then it also doesn't have to be so long.

I suppose this is the crux of my argument. On the order of
practicality, it is best to have the shortest possible password
(easiest to remember). You will need to have several (all eggs in one
basket = no good). so the shorter the better.

Unless the examples above, again rearranged so to be easily remembered
are, or combined into 32 character passwords...

Where is the point of best safety? One must assume a powerful
adversary to find that point. Or do we ever really know?

You have to assume that every attacker already has some information
about you or your password. Probably he knows that you are using
repetition patterns in all or many of your passwords, which makes
attacking it much easier.

Think of your adversary standing behind you while you type in your
password. He doesn't see what password you're typing, but he certainly
hears the repetition patterns. If you're using SSH challenge-response
authentication, then he might even sniff the traffic to find that out,
because it reveals the pauses between key-presses.

Regards,
Ertugrul Söylemez.

That's a good lesson, Er, thanks.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/
.



Relevant Pages

  • Re: Newbie question on encryption keys
    ... but it's still safer to use a completely random string ... You have to assume that every attacker already has some information ... repetition patterns in all or many of your passwords, ... which makes things in your life stay as ...
    (comp.security.misc)
  • random limited repetition from array...
    ... I need to be able to choose a random string from an array. ... but I want to restrict the repetition of that string until one ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Newbie question on encryption keys
    ... but it's still safer to use a completely random string without ... repetition. ... Security is the one concept, which makes things in your life stay as ...
    (comp.security.misc)