|
Posted by Ari on July 28, 2007, 1:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
>>> > Would you consider either of these serious passwords?
>>> >
>>> > 6:Q?-jiF6:Q?-jiF
>>> > 6:Q?-jiFFij-?Q:6
>>>
>>> Not really. Probably they are impractical to break for a random
>>> attacker, but it's still safer to use a completely random string
>>> without repetition. Then it also doesn't have to be so long.
>>
>> I suppose this is the crux of my argument. On the order of
>> practicality, it is best to have the shortest possible password
>> (easiest to remember). You will need to have several (all eggs in one
>> basket = no good). so the shorter the better.
>>
>> Unless the examples above, again rearranged so to be easily remembered
>> are, or combined into 32 character passwords...
>>
>> Where is the point of best safety? One must assume a powerful
>> adversary to find that point. Or do we ever really know?
>
> You have to assume that every attacker already has some information
> about you or your password. Probably he knows that you are using
> repetition patterns in all or many of your passwords, which makes
> attacking it much easier.
>
> Think of your adversary standing behind you while you type in your
> password. He doesn't see what password you're typing, but he certainly
> hears the repetition patterns. If you're using SSH challenge-response
> authentication, then he might even sniff the traffic to find that out,
> because it reveals the pauses between key-presses.
>
> Regards,
> Ertugrul Söylemez.
That's a good lesson, Er, thanks.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/
| 
XML site map