|
Posted by Rusty on November 30, 2005, 3:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
#1 is weak, #2 is reasonably strong.
Try here for a strength tester and some guidelines.
http://www.securitystats.com/tools/password.php
Ken
> Which of these two passwords should be the most secure one:
>
> 1. "Jag undrar vaad som aar ett sakert"
>
> 2. "XVg6Gtzw"
>
> The first one is far more easy to understand for me since it is a somewhat
> incorrectly spelled sentence (in Swedish) whereas the other is 8 very
> cryptic characters not easy to remember.
>
> To me it the first one seems much more secure since it has so many more
> characters and therefore should take far longer to bruce force than the
> other. Dictionary attacks should also be rather useless since the words
> are incorrectly spelled and also it is a sentence and not a word. The
> sentence with similar mispellings would in English be something like:
>
> "I wooonder what iss a secuure"
>
> So what are you opinions?
|
|
Posted by AV on December 1, 2005, 3:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
That sounds very strange to me since the first one has so many more
characters and has misspelled words.
And shouldn't any secure login to anything only accept just a few
attempts, e.g. three. To me it seems like if you just such a system (or
application) then actually a rather short password should be rather
safe. How likely is my "weak" passphrase below will be entered in three
attempts? And after these three attempts you need to restart the
application. How long time would it take for the fastest machine on
earth today to brute force that passphrase?
But again, I cannot understand that the first one is considered weaker
than the second one. In TrueCrypt it is the opposite. You get a warning
if the password/phrase is shorter than 20 characters. I suppose you
could find other sites that are of opposite opinion?
Rusty wrote:
> #1 is weak, #2 is reasonably strong.
>
> Try here for a strength tester and some guidelines.
> http://www.securitystats.com/tools/password.php
>
> Ken
>
>
>
>>Which of these two passwords should be the most secure one:
>>
>>1. "Jag undrar vaad som aar ett sakert"
>>
>>2. "XVg6Gtzw"
>>
>>The first one is far more easy to understand for me since it is a somewhat
>>incorrectly spelled sentence (in Swedish) whereas the other is 8 very
>>cryptic characters not easy to remember.
>>
>>To me it the first one seems much more secure since it has so many more
>>characters and therefore should take far longer to bruce force than the
>>other. Dictionary attacks should also be rather useless since the words
>>are incorrectly spelled and also it is a sentence and not a word. The
>>sentence with similar mispellings would in English be something like:
>>
>>"I wooonder what iss a secuure"
>>
>>So what are you opinions?
>
>
>
|
|
Posted by AV on December 1, 2005, 3:18 am
If you were Registered and logged in, you could reply and use other advanced thread options
zip-passwords are easily cracked? Much easier than WinRAR? Anyway I
could zip something with a "weak" passphrase and anyone are welcome to
try to crack it? Because I think my mind needs to become convinced that
is it really so weak :-)
AV wrote:
> That sounds very strange to me since the first one has so many more
> characters and has misspelled words.
>
> And shouldn't any secure login to anything only accept just a few
> attempts, e.g. three. To me it seems like if you just such a system (or
> application) then actually a rather short password should be rather
> safe. How likely is my "weak" passphrase below will be entered in three
> attempts? And after these three attempts you need to restart the
> application. How long time would it take for the fastest machine on
> earth today to brute force that passphrase?
>
> But again, I cannot understand that the first one is considered weaker
> than the second one. In TrueCrypt it is the opposite. You get a warning
> if the password/phrase is shorter than 20 characters. I suppose you
> could find other sites that are of opposite opinion?
>
>
|
|
Posted by on December 2, 2005, 8:14 am
If you were Registered and logged in, you could reply and use other advanced thread options > That sounds very strange to me since the first one has so many more
> characters and has misspelled words.
That does not, per se, mean the encryption is stronger. After all,
'booooooooooring' is not a very strong password...
Let's throw some math at it.
Each word is chosen from a vocabulary of, say, 10000 words (this
includes weird words very few people will know - the active vocabulary
of the average English speaker is ~ 5000 words, IIRC - though that seems
very small) and has 100 different 'correct' ways of spelling it. Then,
six random words with random misspellings have an entropy of
(10000*100)^6 = (10^7)^6 = 10^56 > (2^3)^59 = 2^171.
(If only common words - 1000 total - are used, this will be about
(10^6)^6 = 10^36 > (2^3)^36 = 2^108.)
The second one has eight characters, chosen from a-z, A-Z, 0-9, and
say ten miscellaneous characters, if done right. That would mean 40^8,
or about (2^5)^8 = 2^40 options. Quite a bit worse than the first one.
This does assume that people are not allowed to pick the password in
either case (i.e., it's true random or as close to that as you can get),
*and* the words in the first case *don't form a sentence* (as yours do).
If they do, entropy decreases dramatically; I have heard it say that
entropy decreases to only a few paltry bits (10000 is about 13 bits;
I've heard as low as 1.2 bits for phrases), and entropy may drop as low
as (2 * 100)^6 > (2^7)^6 = 2^42.
It also assumes that one is more creative in misspelling than you did in
your examples, as simply doubling letters adds about one bit of entropy
per character, and many words are rather small (so 100 will be a little
high - and if using both phrases, with at worst 1 bit of entropy per
word, and simple misspellings with about 4 bits of entropy per word, we
have a key space of only (2^1 * 2^4)^6 = 2^30, in which case the simpler
passwords appear to be more attractive).
In short, calculating the entropy for the first one isn't
straightforward, but seems to suggest that unless lots of randomization
is involved, it is rather weak. Especially if humans are allowed to pick
the phrase.
(Note: it also assumes that the whole password is required - some
mechanisms use only the first eight characters. Oopsie.)
> And shouldn't any secure login to anything only accept just a few
> attempts, e.g. three.
Theoretically, yes. Practically, such 'protection' almost always opens
the door for an easy DoS, *especially* when the network can be sniffed.
> To me it seems like if you just such a system (or
> application) then actually a rather short password should be rather
> safe. How likely is my "weak" passphrase below will be entered in three
> attempts? And after these three attempts you need to restart the
> application. How long time would it take for the fastest machine on
> earth today to brute force that passphrase?
Not that long, DES is quite crackable and has 2^56 bits in its key,
IIRC.
And 'only three attempts' doesn't work all that well in the real world.
> But again, I cannot understand that the first one is considered weaker
> than the second one. In TrueCrypt it is the opposite. You get a warning
> if the password/phrase is shorter than 20 characters. I suppose you
> could find other sites that are of opposite opinion?
Well, at least, the number of characters has very little bearing on the
strength of the passphrase...
Joachim
|
|
Posted by Slight correction on December 2, 2005, 10:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
enough time on the math.
jKILLSPAM.schipper@math.uu.nl wrote:
>Then,
>six random words with random misspellings have an entropy of
>(10000*100)^6 = (10^7)^6 = 10^56 > (2^3)^59 = 2^171.
10000*100 = 10^6, not 10^7. (10^6)^6 is between 2^119 and 2^120.
(Also, (10^7)^6 = 10^42, not 10^56. Perhaps you were thinking
ahead to the next example where 8 is the proper exponent, rather
than 6.)
>The second one has eight characters, chosen from a-z, A-Z, 0-9, and
>say ten miscellaneous characters, if done right. That would mean 40^8,
>or about (2^5)^8 = 2^40 options. Quite a bit worse than the first one.
a-z is 26; A-Z is another 26; 0-9 is 10 plus "ten miscellaneous
characters", adds to 72 possible characters. That would mean
72**8 or about 2^49. Still, as you said, much worse than the
above. (Where did your 40 come from?)
>This does assume that people are not allowed to pick the password in
>either case (i.e., it's true random or as close to that as you can get),
>*and* the words in the first case *don't form a sentence* (as yours do).
>If they do, entropy decreases dramatically; I have heard it say that
>entropy decreases to only a few paltry bits (10000 is about 13 bits;
>I've heard as low as 1.2 bits for phrases), and entropy may drop as low
>as (2 * 100)^6 > (2^7)^6 = 2^42.
What I've heard is that English text is about 1.2 to 1.4 bits of
entropy per character. I don't know if that includes the spaces
between words. Even if it does, 6 6-letter words in a phrase
would yield 41 characters or at most just over 57 bits of entropy.
|
| Similar Threads | Posted | | Advice needed on secure remote datacenter and secure communication | August 24, 2008, 8:36 pm |
| Secure Auditor secure your windows | April 28, 2008, 6:24 am |
| Passwords | February 6, 2006, 2:04 am |
| Boot Passwords | December 21, 2005, 7:35 am |
| Hashes and Passwords | May 21, 2006, 5:36 am |
| Bios Passwords | September 29, 2006, 5:35 pm |
| virtue of salted passwords | November 21, 2005, 12:28 am |
| Image files as passwords | February 22, 2007, 6:33 am |
| Legality of decrypting passwords | June 30, 2008, 8:48 am |
| solutions for storing passwords on a computer | November 4, 2005, 9:03 am |
|
XML site map