A better way to think about passwords
Robert J. Hansen
rjh at sixdemonbag.org
Fri Apr 22 20:17:45 CEST 2011
On 4/22/11 10:04 AM, Nicholas Cole wrote:
> What I meant was rather this: there are several strategies that
> produce good passwords. Teaching them requires (at some employers) a
> 30 minute course or the reading of a web page. However, forcing any
> *particular* strategy onto users will dramatically reduce the time it
> takes to guess a password, since knowing the strategy reduces the
> number of possibilities dramatically.
Let's have a thought experiment: your particular situation is such that
you want attackers to face at least a 9-bit keyspace, but you also want
to disqualify easy, commonly-used keys.
Answer: tell users their passwords must be any number between 0 and 999
inclusive, except that it can't be in the range 0-9, or be any two- or
three-character repeating password (no 11, no 222, no 33, but 331 is
fine). This is meant to keep people from choosing weak passwords. This
has the net effect of striking 10 (0-9) + 9 (11+22+33... etc.: note that
00 is already struck under the "no 0-9" rule) + 9 (111+222+333... etc.)
= 28 possibilities.
You've reduced the original 9.97-bit keyspace to 9.92 bits, which still
exceeds your requirements. At the same time, you're preventing users
from choosing trivially weak and easily guessable passwords.
Your observation is correct only if excluding certain passphrases causes
the entropy of the keyspace to drop below your requirements. Otherwise,
there's no problem with strategy enforcement.
More information about the Gnupg-users