attack on my server
Dave Mason
dmason-bqArmZWzea/GcjXNFnLQ/w at public.gmane.org
Wed Aug 29 15:44:33 UTC 2007
Alex Maynard wrote:
> This suggests choosing the phassprhase words at random by rolling
> dice. I'm sure that will be hard to break, but isn't that also hard
> to remember unless you use it very often? Alex
I haven't used this for my personal password, but I have for my root
password. Despite the fact that I only type the root password once a
month or so, I have had no difficulty remembering it. The fact that it
is a string of words with a few special characters thrown in actually
makes it a lot more memorable than other good passwords I have used. I
actually include spaces between the words which helps my mind think of
them as a (admitedly nonsense) phrase. And the fact that it is such a
good password means that there is no point in changing the password
periodically unless you're *really* paranoid.
As Ian points out the phrase is a set of 5 words chosen from the list,
which, if you add the one special character suggested (as I did for my
root password) gives you 74.6 bits of entropy. For comparison, an 8
character password chosen *completely at random* (i.e. by rolling dice)
from a 95 character alphabet (standard printable ascii) give you 52.5
bits of entropy. That extra 22 bits of entropy means that it is 2^22
(about 4 million) times harder to crack. It is also not subject to a
dictionary attack. The words are just there to help you remember the
result of the 29 random dice rolls you made. Using the example from the
page, instead of the key cleft-cam-synod-lacy-yr, you could as well use
1666515653563223561665224 - they are isomorphic and both have 6^25 or
2^64.6 (64.6 bits) worth of entropy.
For anyone interested in passwords and entropy, you may find:
http://en.wikipedia.org/wiki/Password_cracking
http://en.wikipedia.org/wiki/Cryptographic_key_length
http://en.wikipedia.org/wiki/Password_strength
http://en.wikipedia.org/wiki/Passphrase
interesting.
For a description of what that entropy does for you, see:
http://world.std.com/~reinhold/dicewarefaq.html#howlong
In that analysis, that 8-character random password is almost equivalent
to a four-word diceware password.
And lastly, I've referred a few times to *random* 8-character passwords.
If you're going to do that, I suggest you follow:
http://world.std.com/~reinhold/dicewarefaq.html#tables
because you won't have randomness otherwise.
../Dave
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list