A better way to think about passwords

Hedge Hog hedgehogshiatus at gmail.com
Mon Apr 18 01:09:36 CEST 2011

On Mon, Apr 18, 2011 at 8:58 AM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>> Summary: A 3-word password (e.g., "quick brown fox") is secure against
>> cracking attempts for 2,537 years.
> I am giving a great big yuk to his methodology.  There's no reference to the entropy of text, for instance.  His example of a three common word password, "this is fun," amounts to a total of 11 letters: this will be around 22 bits of entropy, or 4 million combinations.  @ 100 attempts per second, that requires 40,000 seconds, or about 11 hours.  He claims it'll take 2,357 years.  Let's just say I'm skeptical.
> Also, look at his claims for a six-character "common word."  Okay, so this has at most 10 bits of entropy or so: any more and it wouldn't be common.  10 bits of entropy equals 1000 possibilities, @ 100 per second equals ten seconds to break it -- not the 3 minutes he claims.
> His math doesn't work.  I call shenanigans on the entire thing.

Correct. But do you claim the ideas are shenanigans:
a) use several words.
b) choose memorable combinations, to you, of these words.

Example: What do you make the _expected_ secure time _estimate_ of:
a) three four letter words say: muck, ruck, puck?
b) make them memorable: the puck in the ruck in the muck?

Then, for a), what is the estimate if one choose three five letter
words, or three six letter words?

Best wishes.

> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

πόλλ' οἶδ ἀλώπηξ, ἀλλ' ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
  Archilochus, Greek poet (c. 680 BC – c. 645 BC)

More information about the Gnupg-users mailing list