Justin,I don't think the list allows attachments, but I'll try. I'll also send directly to you.
Allen Justin Coffi wrote:
Please share (the spreadsheet) with the rest of the class. Allen wrote:Ettore wrote:Question 1 ------------------ What I'd like to know is, how insecure is our proposed scheme?The entropy of your key will match the one of your password. If the user chose a sequence of 7 letters, the effective key length you would get is ~32 bits, which is not difficult to brute force. To make matters worse, the user will probably choose some meaningful word, which drastically reduces the key space and render a dictionary attack feasible. If you think that theoretical key security is really a concern AND if you think that trojans are not, I advice to force the user to enter a long passphrase (rather than password). 37 characters are enough to reach a single DES level - probably enough for your application.Hi Ettore,While I agree that pass phrases are a better choice, they don't have to be as long a 37 characters to be very secure. I have a spread sheet based on Philippe Oechlin's optimized Rainbow Table calculation which, with a 1 terabyte table space, says that with a 62 character key space, at 1*10^12 hashes per second it would 2.4*10^7 years to create the table and 1.4*10^10 years to use the table to find the hash for a 15 character pass phrase.In fact even as few as 12 characters has 3,279,156,381,453,600,000,000 possible pass phrases and would take 104 years to calculate the table and 81 years to have an 86% chance of finding the correct pass phrase.The work effort climbs rapidly after 12 characters. However, I still suggest 15 characters as that prevents a LANMAN legacy attack.If you like I would be more than happy to send you a copy of the spreadsheet so you can play around with it.Best Regards, Allen Schaaf - CISSP, CEH, CHFI, CEI Business Process Analyst - Information Security AnalystTraining & Instructional Designer - Sr. Writer & Documentation Developer - Certified Network Security Analyst & Intrusion Forensics Investigator - Certified EC-Council InstructorSecurity is lot like democracy - everyone's for it but few understand that you have to work at it constantly. _______________________________________________ FDE mailing list FDE@www.xml-dev.com <mailto:FDE@www.xml-dev.com> http://www.xml-dev.com/mailman/listinfo/fde------------------------------------------------------------------------ _______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde
PasswordVulnerabilityCalculator.xls
Description: MS-Excel spreadsheet
_______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde