On Fri, Nov 28, 2008 at 01:57:47PM +0000, Lyle wrote:
> David Cantrell wrote:
> > If your password consists of a-z, A-Z, 0-9 and
> > \|,./<>?;'#:@~[]{}-_=+)(*&^%$"! (93 different characters) then you have
> > log(93)/log(2) == 6.5 bits per character, so should use a string of 19
> > or 20 random characters. If you use a passphrase, then remember that
> > English only gives you about 1 bit per character.
> I thought a bit was either 1 or 0 and a byte was a 8 bits which is used
> to represent characters?
Let's take an example.
If you have text (a passphrase) that you know starts with the text "jer"
then that gives you some information about the next letter. So you
don't have 8 bits of "strength" in that fourth letter. The only
possible fourth letters are (according to /usr/share/dict/words on this
'ere machine) a e i k m o r s and u. 8 choices, which is equivalent to
just three bits. However, 1 and u only occur 2 times each out of 50,
whereas k occurs 12 times out of 50, so it's far more likely to be k.
And so on.
Claude Shannon showed that the "entropy" of English is really low, so
when you take into account legal words, plus the context in which they
appear, you only have about 1 bit of entropy per character:
http://math.ucsd.edu/~crypto/java/ENTROPY/
Now, using just the 93 characters I listed, which I chose because
they're the ones that are easy to type, we notice a couple of things
about them:
The most significant bit is always zero, so we only have 7 bits of
randomness (at most), not 8.
Of the 128 possible characters with a 0 MSB, then (if we re-arrange
the ASCII table so that our 93 characters are the first 93 and the
remaining 35 come after them) then a random character from the list will
have the least significant six bits set at random (2^6 == 64, which is
less than 93) but the seventh bit isn't entirely used. We only use 29
of the 64 possible characters that it gives us. So if we know that that
bit is set, we now have some information about what the other six bits
have to be. At its heart, this boils down to: because we're only using
93 of the 256 possibilities for an 8 bit value, each character has a
certain amount of redundant, predictable information in it, which makes
the passphrase less secure. We combat this by making the passphrase
longer, so it's still secure enough.
> Although I did come across some code claiming to be an MD5 cracker...
> Haven't tested it through:-
> http://grahana.wordpress.com/2007/10/18/perl-md5-cracker/
Trust me, that code is *not* a threat! It uses brute force with 14
nested loops. It will take eleventy zillion years to find a hash
collision.
--
David Cantrell | Hero of the Information Age
Are you feeling bored? depressed? slowed down? Evil Scientists may
be manipulating the speed of light in your vicinity. Buy our patented
instructional video to find out how, and maybe YOU can stop THEM
_______________________________________________
BristolBathPM mailing list
[email protected]
http://mailman.bristolbath.org/mailman/listinfo/bristolbathpm
