A better way to think about passwords

Faramir faramir.cl at gmail.com
Mon Apr 18 15:19:47 CEST 2011

Hash: SHA256

El 17-04-2011 23:50, Grant Olson escribió:
> But if you don't, and you use a dictionary word, or a dictionary word
> with l33t-sp34k, or two dictionary words, your opponent can develop a
> strategy that beats the average case brute force time.  And your
> opponent actually does this now.  The McAfee article conveniently
> ignores that the Cane & Abel can do dictionary attacks, and it can do
> rainbow table lookups.

  Yes, and I'm thinking we should include symbols between words (but I'm
not saying we should not also use them anywhere else).
  About rainbow tables, probably the author used that hash to have
something to break, I mean, to bruteforce something, you need something
that is not the plain text password, it may be an encrypted file, or a
hashed value. I don't know if there are rainbow tables for SHA-256, but
so far I have not seen a site with the complete set for MD5 (maybe I
have not searched enough).

> The seventeen character "imtoosexyformycar" may be much much easier to
> hack than the seventeen character "qkgfnroefdsoeyhzz" depending on your
> opponent's strategy, and it may not, but it'll never be significantly
> slower.

  Right said, eh, Grant ;)

  The good thing is we are not forced to chose words just from English
dictionary... we can mix from several languages, including Klingon, plus
symbols... If the attacker knows too much about us to be able to design
a custom strategy to do a mixed dictionary attack, maybe they can also
use the 5 dollars hammer strategy. For remote attackers, maybe they
won't know that much about us.

  Still, I'm considering my bullet-proof more-than-128-bits-of-entropy
passphrase might be not as hard as it might be :P

  Best Regards
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Gnupg-users mailing list