|
Posted by Peter Frank on October 5, 2005, 12:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hello,
The encryption software I use offers me two choices for entering a
passphrase:
1) an ordinary password consisting of letters, numbers and/or special
characters
2) 10 symbols that can be clicked in any order to form a "passphrase"
How safe is a "passphrase" consisting of maybe 15 symbol clicks
compared to a password consisting of 15 letters, numbers and/or
special characters?
Let's assume the password was chosen carefully, so it contains no
known words or derivations thereof, and special characters and numbers
were used.
Is the password safer because there are many more letters, numbers,
and special characters than symbols to choose from?
Peter
|
|
Posted by Juergen Nieveler on October 5, 2005, 11:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Is the password safer because there are many more letters, numbers,
> and special characters than symbols to choose from?
Yes
Juergen Nieveler
--
I don't mind lying, but I hate inaccuracy
|
|
Posted by Volker Birk on October 5, 2005, 1:33 pm
If you were Registered and logged in, you could reply and use other advanced thread options > The encryption software I use offers me two choices for entering a
> passphrase:
> 1) an ordinary password consisting of letters, numbers and/or special
> characters
> 2) 10 symbols that can be clicked in any order to form a "passphrase"
> How safe is a "passphrase" consisting of maybe 15 symbol clicks
> compared to a password consisting of 15 letters, numbers and/or
> special characters?
It is important to have enough entropy in a passphrase. Clicking 15
times one of 10 symbols means 10^15 combinations. And this means not
enough entropy for a passphrase, not at all.
Perhaps you should click at least 25 times ;-)
A passphrase consisting of random data using 64 bit of characters
and a length of, say 10 characters, means 64^10 combinations, which
means 2^60 combinations. This is more than 10^20, too.
10^20 is a good thumbnail, what should be topped today for _any_
meaning of security. You'll better improve that for some applications.
10^20 means, that brute forcing with a system offering 10^9 operations
a second (as a thumbnail) will last 10^11 seconds, that means 3*10^4
years now. That sounds good, but using Moore's law, you could calculate,
how long (or how short) this will be secure in reality.
Yours,
VB.
--
If class libraries are compared to animals, MFC is the slime-warts toad.
|
|
Posted by Anne & Lynn Wheeler on October 5, 2005, 6:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options > The encryption software I use offers me two choices for entering a
> passphrase:
> 1) an ordinary password consisting of letters, numbers and/or special
> characters
> 2) 10 symbols that can be clicked in any order to form a "passphrase"
>
> How safe is a "passphrase" consisting of maybe 15 symbol clicks
> compared to a password consisting of 15 letters, numbers and/or
> special characters?
>
> Let's assume the password was chosen carefully, so it contains no
> known words or derivations thereof, and special characters and numbers
> were used.
>
> Is the password safer because there are many more letters, numbers,
> and special characters than symbols to choose from?
"safe" can be a combination of several things. creation of passwords
that are totally impossible to remember ... make them harder for an
attacker to guess ... but also result in human's writing them down
.... providing an attacker with more than one avenue for obtaining the
password.
shared-secret passwords also have a requirement that unique shared
secrets are required for different security domains (cross-domain
compromise ... i.e. the password at your local garage ISP being the
same as your online banking access). difficulty of memorizing goes up
both as the complexity of the password as well as the number of
different passwords. i got my first password nearly 40 years ago
.... and at the time, I only had one. Now I'm faced with managing
scores of passwords. then if they have to be changed every month, the
problem can reach truely hopeless state:
http://www.garlic.com/~lynn/subpubkey.html#secrets
then there are the rules excluding certain values ... here is an
corporate directive April 1st version from over 20 years ago
.... parody explains how there is only once acceptable password.
http://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM
some recent news articles ... effectively institutional-centric
paradigm running afoul of person related limitations.
Password overload is costing money
http://www.theinquirer.net/?article=26653
Multiple passwords creating insecurity
http://www.computeractive.co.uk/computing/news/2143054/multiple-passwords-creating
Multiple passwords creating insecurity
http://www.itweek.co.uk/computing/news/2143054/multiple-passwords-creating
Multiple passwords creating insecurity
http://www.vnunet.com/computing/news/2143054/multiple-passwords-creating
Now, what was my September password?
http://www.purdueexponent.org/index.php/module/Issue/action/Article/article_id/1168
Too Many Passwords
http://it.slashdot.org/it/05/09/27/1935210.shtml?tid=172&tid=218
Authentication | Password Overload Makes Enterprise Systems Less
Secure
http://www.techweb.com/wire/security/171201073
Password overload plagues US.biz
http://www.theregister.com/2005/09/27/password_overload_survey/
Password Overload Makes Enterprise Systems Less Secure
http://news.yahoo.com/s/cmp/20050928/tc_cmp/171201073;_ylt=A9FJqZNytzpDEWgAlgYjtBAF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
Survey shows signs of security password overload
http://www.cbronline.com/article_news.asp?guid=7778865B-DD3A-4230-9968-83244D713FBE
Password overload plagues US.biz
http://www.securityfocus.com/news/11331
--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
|
|
Posted by Unruh on October 6, 2005, 12:19 am
If you were Registered and logged in, you could reply and use other advanced thread options
>Hello,
>The encryption software I use offers me two choices for entering a
>passphrase:
>1) an ordinary password consisting of letters, numbers and/or special
>characters
>2) 10 symbols that can be clicked in any order to form a "passphrase"
>How safe is a "passphrase" consisting of maybe 15 symbol clicks
Compare 10^15 with 64^15.
>compared to a password consisting of 15 letters, numbers and/or
>special characters?
>Let's assume the password was chosen carefully, so it contains no
>known words or derivations thereof, and special characters and numbers
>were used.
>Is the password safer because there are many more letters, numbers,
>and special characters than symbols to choose from?
Yes.
|
|
XML site map