|
Posted by AV on November 30, 2005, 2:45 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Which of these two passwords should be the most secure one:
1. "Jag undrar vaad som aar ett sakert"
2. "XVg6Gtzw"
The first one is far more easy to understand for me since it is a
somewhat incorrectly spelled sentence (in Swedish) whereas the other is
8 very cryptic characters not easy to remember.
To me it the first one seems much more secure since it has so many more
characters and therefore should take far longer to bruce force than the
other. Dictionary attacks should also be rather useless since the words
are incorrectly spelled and also it is a sentence and not a word. The
sentence with similar mispellings would in English be something like:
"I wooonder what iss a secuure"
So what are you opinions?
|
|
Posted by nemo_outis on November 30, 2005, 3:20 pm
If you were Registered and logged in, you could reply and use other advanced thread options
$d5.195736@newsb.telia.net:
> Which of these two passwords should be the most secure one:
>
> 1. "Jag undrar vaad som aar ett sakert"
>
> 2. "XVg6Gtzw"
>
> The first one is far more easy to understand for me since it is a
> somewhat incorrectly spelled sentence (in Swedish) whereas the other is
> 8 very cryptic characters not easy to remember.
>
> To me it the first one seems much more secure since it has so many more
> characters and therefore should take far longer to bruce force than the
> other. Dictionary attacks should also be rather useless since the words
> are incorrectly spelled and also it is a sentence and not a word. The
> sentence with similar mispellings would in English be something like:
>
> "I wooonder what iss a secuure"
>
> So what are you opinions?
>
My personal preference has always been for passphrases rather than
passwords. Because of the peculiarities of human memory it is possible to
remember a passphrase of much higher entropy than a password. For
example:
"A purple aardvark cavorts in a grotto of kumquat rinds."
This sentence, while too short, has been chosen to illustrate the
principle.
One can then "harden" the passphrase in a number of ways, such as:
Put two or three spaces between words and fill them with uncommon
characters and numbers in some half-assed memorizable pattern. For
instance:
"A1)Purple2(aardvark*3cavorts&5in^8a%13grotto%21of$34kumquat#55rinds."
(I used a very primitive pattern for illustration: top-row special
characters and the - slightly mangled - Fibonacci numbers, both in
order!)
You might also capitalize following some non-standard pattern, such as
the first and last letter of each word.
"A1)PurplE2(AardvarK*3CavortS&5IN^8A%13GrottO%21OF$34KumquaT#55RindS."
The nice thing about such passphrases is that they can often be
"assembled" in the input window just as I did above, rather than entered
directly in final form.
Now the principle in choosing passphrases says that the passphrase should
have (at least) as much entropy as the underlying algorithm (e.g., AES
128). Here's some condensed theory:
Choose words *randomly* (curb your prejudices and preferences!) from a
word list. (The average use vocabulary of an English adult is 5000 words,
the recognition vocabulary of a well-educated college graduate is perhaps
50,000 words, and the Oxford contains somewhere around 500,000 words.)
For good measure, do not count articles, prepositions, and the like in
the word total. Ten words chosen *randomly* from a list of 10,000 would
have a probability of 10000^10 or about 133 bits - that's the length of
passphrase we need (about twice as long as my illustrative one).
My fairly conservative policy (which has no theoretical support) is to
assume that the hardening roughly compensates for the loss of entropy due
to the regularity of the English sentence structure. Others may wish to
credit it either more or less.
Regards,
|
|
Posted by nemo_outis on November 30, 2005, 3:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options
...
> The nice thing about such passphrases is that they can often be
> "assembled" in the input window just as I did above, rather than
> entered directly in final form.
...
A few things I forgot to add:
"Assembling" a passphrase in an password input window can be severely
hampered if the window is blanked with asterisks. Here's a trick: assemble
the passphrase in the *user name* window and then cut and paste it to the
password window (afterwards, go back and fill in the user name).
For the theoretically inclined, the Shannon entropy of ordinary English
sentences is about 1.2 to 1.4 bits per character. This gives an alternate
method of calculating passphrase entropy.
Regards,
|
|
Posted by on November 30, 2005, 5:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options >
> ...
>> The nice thing about such passphrases is that they can often be
>> "assembled" in the input window just as I did above, rather than
>> entered directly in final form.
> ...
>
>
> A few things I forgot to add:
>
> "Assembling" a passphrase in an password input window can be severely
> hampered if the window is blanked with asterisks. Here's a trick: assemble
> the passphrase in the *user name* window and then cut and paste it to the
> password window (afterwards, go back and fill in the user name).
Of course, this bypasses the very reason we have asterisks in password
fields, the fact that anyone can look over your shoulder and see your
password...
Joachim
|
|
Posted by nemo_outis on November 30, 2005, 7:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>>
>> ...
>>> The nice thing about such passphrases is that they can often be
>>> "assembled" in the input window just as I did above, rather than
>>> entered directly in final form.
>> ...
>>
>>
>> A few things I forgot to add:
>>
>> "Assembling" a passphrase in an password input window can be severely
>> hampered if the window is blanked with asterisks. Here's a trick:
>> assemble the passphrase in the *user name* window and then cut and
>> paste it to the password window (afterwards, go back and fill in the
>> user name).
>
> Of course, this bypasses the very reason we have asterisks in password
> fields, the fact that anyone can look over your shoulder and see your
> password...
>
> Joachim
>
Call me crazy if you will, but I'm of the opinion that you should not be
entering ANY password, whether asterisk protected or not, while someone is
looking over your shoulder.
Regards,
|
| Similar Threads | Posted | | Advice needed on secure remote datacenter and secure communication | August 24, 2008, 8:36 pm |
| Secure Auditor secure your windows | April 28, 2008, 6:24 am |
| Passwords | February 6, 2006, 2:04 am |
| Boot Passwords | December 21, 2005, 7:35 am |
| Hashes and Passwords | May 21, 2006, 5:36 am |
| Bios Passwords | September 29, 2006, 5:35 pm |
| virtue of salted passwords | November 21, 2005, 12:28 am |
| Image files as passwords | February 22, 2007, 6:33 am |
| Legality of decrypting passwords | June 30, 2008, 8:48 am |
| solutions for storing passwords on a computer | November 4, 2005, 9:03 am |
|
XML site map