Re: Password Cracking

From: Lohkee (Lohkee@worldnet.att.net)
Date: 01/25/03 

From: "Lohkee" <Lohkee@worldnet.att.net>
Date: Sat, 25 Jan 2003 02:18:23 GMT

"Ernst-Udo Wallenborn" <ernst-udo.wallenborn@freenet.de> wrote in message
news:s5l65se19s5.fsf@dilbert.pointyhairedbosses.de...
>
> "Mark H. Wood" <mwood@mhw.ULib.IUPUI.Edu> writes:
>
> > I think we have a case of violent agreement here. One side correctly
> > points out that, *if all points in the keyspace have an equal
> > probability of being chosen*, then decreasing the size of the total
> > keyspace increases the chances of correct guessing. The other side
> > correctly points out that *the observed behavior does not show an
> > equal probability of choice over the entire keyspace* -- the portion
> > of keyspace which is actually used is a very small subset of "all
> > points", and argues that removing these highly popular points tends to
> > disperse the actual choices.
>
>
> I violently agree.
>
> Ernst-Udo Wallenborn

I violently disagree (sorry Ernst-Udo - I just couldn't resist)! I have
never had a problem with removing the "highly popular" points; it is
***how*** they are removed which concerns me. Enforcing, for example, a nine
char password - or greater - automatically eliminates a very large portion
of popular words in most languages *and* creates a very large pool of
possibilities.

My position is that password cracking (which is the subject of this
particular thread) is not the way to go for the numerous reasons outlined
in my original paper (rebuttals to the which have been largely avoided),
and, that rules to systemically enforce the use of strong passwords should
be very carefully analyzed to make sure they, in fact, have the desired
result.

Lohkee!