A better way to think about passwords

Faramir faramir.cl at gmail.com
Mon Apr 18 15:19:47 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 17-04-2011 23:50, Grant Olson escribió:
...
> But if you don't, and you use a dictionary word, or a dictionary word
> with l33t-sp34k, or two dictionary words, your opponent can develop a
> strategy that beats the average case brute force time.  And your
> opponent actually does this now.  The McAfee article conveniently
> ignores that the Cane & Abel can do dictionary attacks, and it can do
> rainbow table lookups.

  Yes, and I'm thinking we should include symbols between words (but I'm
not saying we should not also use them anywhere else).
  About rainbow tables, probably the author used that hash to have
something to break, I mean, to bruteforce something, you need something
that is not the plain text password, it may be an encrypted file, or a
hashed value. I don't know if there are rainbow tables for SHA-256, but
so far I have not seen a site with the complete set for MD5 (maybe I
have not searched enough).

...
> The seventeen character "imtoosexyformycar" may be much much easier to
> hack than the seventeen character "qkgfnroefdsoeyhzz" depending on your
> opponent's strategy, and it may not, but it'll never be significantly
> slower.

  Right said, eh, Grant ;)

  The good thing is we are not forced to chose words just from English
dictionary... we can mix from several languages, including Klingon, plus
symbols... If the attacker knows too much about us to be able to design
a custom strategy to do a mixed dictionary attack, maybe they can also
use the 5 dollars hammer strategy. For remote attackers, maybe they
won't know that much about us.

  Still, I'm considering my bullet-proof more-than-128-bits-of-entropy
passphrase might be not as hard as it might be :P

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJNrDpzAAoJEMV4f6PvczxA6swH/RG3GLA45q1AhLGevuAMAib8
jwdB5dIk++/vJrk1S0uU7zHJfsWhcgfjEPVcq3/GqsHI3sBTkeC8UVVF9p2gykXt
++YKQ7Hv8A4JEhlRWReOBAsBYaNzV1Ggd6C9Oc/f2e/PuU8Luz0D8EjxgxiBeGLc
u7VQR9rTGUOi1UHhKYUS5jt515YOEM2839uBSbh2xLQZJXAiN5ZB0anO6L4bUhfa
SKX2fhIT2otlTPJmxajpe1a82EEJrjJtS1C7a40NszXyogPTsq4p1qcMxJMQmn/7
TgUJ1ygb5Jl74buna1+GnvBYPPFa1MTCggxASSVRG33HaJR+gG2WDVA7KylXk3A=
=fQo5
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list