A better way to think about passwords

[Grant Olson]

On 04/17/2011 06:58 PM, Robert J. Hansen wrote:
>> Summary: A 3-word password (e.g., "quick brown fox") is secure against
>> cracking attempts for 2,537 years.
> 
> I am giving a great big yuk to his methodology.  There's no reference to the entropy of text, for instance.  His example of a three common word password, "this is fun," amounts to a total of 11 letters: this will be around 22 bits of entropy, or 4 million combinations.  @ 100 attempts per second, that requires 40,000 seconds, or about 11 hours.  He claims it'll take 2,357 years.  Let's just say I'm skeptical.
> 
> Also, look at his claims for a six-character "common word."  Okay, so this has at most 10 bits of entropy or so: any more and it wouldn't be common.  10 bits of entropy equals 1000 possibilities, @ 100 per second equals ten seconds to break it -- not the 3 minutes he claims.
> 
> His math doesn't work.  I call shenanigans on the entire thing.
> 

I think it's worth noting that the low entropy of english (you quoted
2.5 bits per char in another thread) isn't just an academic issue.  Real
password crackers actually do employ multiple strategies and passes in
order of complexity.  For example, starting with dictionary, then
dictionary w/leetspeak, eventually brute force, etc.

My other big gripe with this article is that it completely ignores the
possibility of an offline attack against the hashes.  It's assuming that
the limiting factor is the number of times you can access a webpage.
I've been goofing around with BitCoin this weekend, and my MacBook Pro
is generating about 2 Million SHA256 hashes a second.

-- 
-Grant

"Look around! Can you construct some sort of rudimentary lathe?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 565 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110417/7e5e73e4/attachment.pgp>