Re: Are PassPhrases Secure Enough?
From: Valery Pryamikov (Valery_at_nospam.harper.no)
Date: 11/25/04
- Previous message: David Wang [Msft]: "Re: Random 401.2 Error in ASP.NET app"
- In reply to: clintonG: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Nov 2004 07:49:32 +0100
Thanks :-)
-Valery.
http://www.harper.no/valery
"clintonG" <csgallagher@REMOVETHISTEXTmetromilwaukee.com> wrote in message
news:eckKUtp0EHA.3292@TK2MSFTNGP10.phx.gbl...
> Good blog Valery...
>
> <%= Clinton Gallagher
>
> "Valery Pryamikov" <Valery@nospam.harper.no> wrote in message
> news:umkNo7l0EHA.3832@TK2MSFTNGP10.phx.gbl...
>> Hi
>> The problem with passphrases is that they has near to natural language
>> entropy that is very low. Entropy is a measure of information uncertainty
>> and reverseproportional to information redundancy. Redundancy could be
>> thought as measure of data compressibility (i.e. more compression rate
>> you
>> can achieve on your data - lower entropy of that data). Natural English
>> information redundancy is about 75%. This gives something like 1.25
> entropy
>> of Natural English language. I.e. each extra byte you add to your
> passphrase
>> only increases your password strength for something from 1.25 bits
>> (unlimited length) to 2.9 bits of security (for longer than 10 chars
>> passwords). I don't know why is that so popular to advocate natural
> language
>> passphrases lately ignoring many researches that was done during past two
>> decades that indicated that passwords build from passphrase by taking one
> or
>> more characters from each word would provide better security due to
>> better
>> entropy while as they still quite easy to remember. You only need such
>> password of size 15 chars (to disable LM Hash) and it would be as
> difficult
>> to break as your passphrase of size more than 50 chars. I, for example,
> use
>> one or other line from Russian song or story, take some char from each
> word,
>> write them in Latin alphabet instead of Cyrillic (which means that
> sometimes
>> I have to use two Latin letter instead of one Cyrillic), throw in some
>> symbols and get password that looks like following: "KjbZ-m0d,jDbzRb". It
> is
>> composed from well known child story that I used to read to my sons -
>> I'll
>> never forget it (I actually used it couple of years ago) - but it will be
>> very tough to break. For more information for choosing password - check
> this
>> paper by Ross Anderson (one of the world most acknowledged experts in
>> cryptography and information security) that was written in 2000
>> http://citeseer.ist.psu.edu/yan00memorability.html (click on cached PDF
>> to
>> read the paper). Only note that they are talking about minimum of 8 chars
>> only because UNIX and Linux "crypt" password protection doesn't allow
>> passwords longer that 8 chars (and "crypt" still is used on some
> UNIX/Linux
>> distributions) . If you interesting you can also check my blog where I
>> posted 6 articles about passwords (just search my blog for passwords).
>>
>> -Valery.
>> http://www.harper.no/valery
>>
>> "clintonG" <csgallagher@REMOVETHISTEXTmetromilwaukee.com> wrote in
>> message
>> news:O8V39Sk0EHA.2016@TK2MSFTNGP15.phx.gbl...
>> > I've been thinking of implementing the following and seek comments pro
> and
>> > con.
>> >
>> > When registering, the user provides an e-mail address and creates a
>> > password
>> > phrase question such as "What is your father's middle name?" The user
> also
>> > provides the answer to the phrase he or she has created.
>> >
>> > Future attempts to log in initially request the e-mail address only. A
>> > callback is issued and the login form is updated to display the user's
>> > passphrase "What is your father's middle name?" The user provides the
>> > correct answer and is presumably authenticated.
>> >
>> > That is the gist of this postulation. I am seeking comments regarding
> how
>> > to harden this methodology using hashed values to salt or other
>> > comments
>> > why
>> > this type of methodology would not be as secure as any other currently
>> > implemented.
>> >
>> > --
>> > <%= Clinton Gallagher, "Twice the Results -- Half the Cost"
>> > Architectural & e-Business Consulting -- Software Development
>> > NET csgallagher@REMOVETHISTEXTmetromilwaukee.com
>> > URL http://www.metromilwaukee.com/clintongallagher/
>> >
>> >
>>
>>
>
>
- Previous message: David Wang [Msft]: "Re: Random 401.2 Error in ASP.NET app"
- In reply to: clintonG: "Re: Are PassPhrases Secure Enough?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
