Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.security.misc > #1317

Re: random passwords

From Ivan Shmakov <ivan@siamics.net>
Newsgroups alt.os.linux, comp.os.linux.misc, comp.security.misc
Subject Re: random passwords
Date 2018-08-24 18:07 +0000
Organization A noiseless patient Spider
Message-ID <87h8jjfxjo.fsf@miko.siamics.net> (permalink)
References (4 earlier) <pllofa$fbr$1@news1.tnib.de> <plm57g$p91$2@dont-email.me> <878t4xgouh.fsf_-_@miko.siamics.net> <plmiso$i0s$1@dont-email.me> <plmvbn$ehd$1@tncsrv09.home.tnetconsulting.net>

Cross-posted to 3 groups.

Show all headers | View raw

>>>>> Grant Taylor <gtaylor@tnetconsulting.net> writes:
>>>>> On 08/23/2018 09:12 AM, Rich wrote:

 >> Sentence based ones are better than pure word based ones, but
 >> there's still patterns in sentence based passwords, patterns that
 >> can be formulated into patterns for tools like jack the ripper to
 >> test against.  Yes, that increases the time of the attack, but
 >> nothing like how the numbers blow up when the password is based on
 >> "any one of the characters from large set X could appear here"
 >> (random generation).

 > Agreed.

	At some point, the sheer number of patterns to consider will mean
	that a significant fraction of key space has to be considered,
	eliminating any advantage over exhaustive brute force search.

	Still, as was already pointed out in this thread and elsewhere
	(http://xkcd.com/936/), there's a certain compromise in choosing
	a password that's hard enough to bruteforce and easy enough to
	remember.  And to quote XKCD specifically:

    Through 20 years of effort, we've successfully trained everyone to
    use passwords that are hard for humans to remember, but easy for
    computers to guess.

 > Words will /more/ /likely/ come from a dictionary of the /same/
 > /language/ than a different language.

	Which may be an argument in favor of "mangling" one or more of
	the words.

 > Words also equate to a sequence of letters, thus some predictability
 > of said sequence letters.

 > When calculating the strength of word based passphrases, you need to
 > take size of the dictionary to the power of the number of words used.

 > The last time I did the math, (I think) even a truly random eight
 > character password was stronger than a five word passphrase out of a
 > dictionary of a few thousand words.  Obviously you can play with the
 > numbers either way.

	Assuming it's a random ASCII non-control (32 .. 127) character,
	it's only \log _2 95 < 6.6 bits of entropy per character, or
	about 53 bits of entropy for a 8-character password.

	An equivalent 5-word password would require about 10.6 bits of
	entropy per word, or a dictionary of 2 ^{10.6} < 1510 words.

	Similarly, a 4-word password of similar strength would require
	about 13.2 bits per word, or a dictionary of 10 ^{13.2} < 9500
	words.

	On one of my systems, /usr/share/dict/words has slightly over
	99000 words, but that apparently includes proper names and
	possessives, thus resulting in passphrases like:

$ shuf -n5 < american-english | fmt -w78 
Garland japing Bushido misstatement's profundity's
$ 

[...]

-- 
FSF associate member #7257  http://am-1.org/~ivan/

Back to comp.security.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 14:05 +0000
  Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-23 09:47 -0500
    Re: random passwords Wouter Verhelst <w@uter.be> - 2018-08-24 10:16 +0200
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:46 +0100
        Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-24 09:19 -0400
        Re: random passwords Daniel60 <daniel47@eternal-september.org> - 2018-08-25 21:57 +1000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-25 13:32 +0100
  Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 15:50 +0100
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:40 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:12 +0000
      Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-08-23 18:49 +0100
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-09-01 13:45 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-09-01 15:02 +0000
          Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-09-01 16:54 +0000
          Re: random passwords Richard Kettlewell <invalid@invalid.invalid> - 2018-09-04 07:37 +0100
  Re: random passwords Rich <rich@example.invalid> - 2018-08-23 15:12 +0000
    Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-23 12:49 -0400
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:18 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:27 +0000
          Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:44 +0000
    Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:38 -0600
      Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:47 -0600
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 02:20 +0000
        Re: random passwords Jasen Betts <jasen@xnet.co.nz> - 2018-08-24 05:10 +0000
      Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 02:32 +0100
        Re: random passwords Rich <rich@example.invalid> - 2018-08-24 01:56 +0000
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:37 +0100
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 20:13 -0600
          Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-24 11:42 +0100
            Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 11:55 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 08:37 -0400
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-24 13:51 +0100
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-24 12:41 -0400
            Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-25 02:03 +0000
              Re: random passwords Java Jive <java@evij.com.invalid> - 2018-08-25 11:32 +0100
              Re: random passwords Paul <nospam@needed.invalid> - 2018-08-25 07:49 -0400
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:12 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-27 23:40 +0000
                Re: random passwords Paul <nospam@needed.invalid> - 2018-08-27 20:10 -0400
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 00:17 +0000
                Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-27 20:52 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-27 22:31 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 10:23 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-28 14:45 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-28 23:00 +0000
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 01:22 +0000
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 07:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:37 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 12:25 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 19:35 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-29 17:46 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 06:53 +0100
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-30 07:48 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-30 19:07 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-31 00:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-31 03:10 +0100
                Re: random passwords Chris Elvidge <chris@mshome.net> - 2018-08-31 12:26 +0100
                Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-29 23:36 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-29 11:35 +0100
                Re: random passwords not@telling.you.invalid (Computer Nerd Kev) - 2018-08-29 23:45 +0000
      Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-24 18:07 +0000
        Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-24 20:27 +0000
    Re: random passwords Bud Frede <frede@mouse-potato.com> - 2018-09-03 07:23 -0400
  Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 16:57 +0000
    Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:07 +0000
  Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:02 +0000
    Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 17:25 +0000
      Re: random passwords William Unruh <unruh@invalid.ca> - 2018-08-23 17:32 +0000
      Re: random passwords Rich <rich@example.invalid> - 2018-08-23 17:46 +0000
        Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-23 18:07 +0000
        Re: random passwords Grant Taylor <gtaylor@tnetconsulting.net> - 2018-08-23 12:51 -0600
    Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-24 02:35 +0000
  Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 11:13 -0500
    Re: random passwords Rich <rich@example.invalid> - 2018-08-25 17:24 +0000
      Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-25 13:17 -0500
        Re: random passwords Rich <rich@example.invalid> - 2018-08-25 20:27 +0000
          Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-25 21:28 -0500
            Re: random passwords Jean-David Beyer <jeandavid8@verizon.net> - 2018-08-26 01:19 -0400
              Re: random passwords Rich <rich@example.invalid> - 2018-08-26 13:43 +0000
                Re: random passwords Ivan Shmakov <ivan@siamics.net> - 2018-08-26 14:15 +0000
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 15:18 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 09:30 -0500
              Re: random passwords Michael Black <mblack@pubnix.net> - 2018-08-26 11:44 -0400
                Re: random passwords John Hasler <jhasler@newsguy.com> - 2018-08-26 16:40 -0500
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords Allodoxaphobia <knock_yourself_out@example.net> - 2018-08-28 13:29 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-28 14:32 +0100
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:17 +0100
                Re: random passwords Melzzzzz <Melzzzzz@zzzzz.com> - 2018-08-27 06:21 +0000
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 08:15 +0100
                Re: random passwords Roger Blake <rogblake@iname.invalid> - 2018-08-27 22:44 +0000
              Re: random passwords azigni <azigni@yahoo.com> - 2018-08-26 12:55 -0600
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 16:09 -0500
                Re: random passwords Rich <rich@example.invalid> - 2018-08-26 21:32 +0000
                Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 21:11 -0500
                Re: random passwords The Natural Philosopher <tnp@invalid.invalid> - 2018-08-27 07:19 +0100
            Re: random passwords Doug McIntyre <merlyn@dork.geeks.org> - 2018-08-26 00:41 -0500
              Re: random passwords Robert Heller <heller@deepsoft.com> - 2018-08-26 06:48 -0500

csiph-web