On 02/03/2017 12:40 PM, Richard Pieri wrote:
On 2/3/2017 8:47 AM, Kent Borg wrote:
I'll change it to 12-honey-denver-doctor then!
No one will even guess that.
A dedicated Hashcat rig can "guess" it within 5 minutes.
You are confusing (1) a password used as a password, and (2) a
passphrase used for an encryption key. They are completely different.
1. A password with 32-bits of entropy is quite good: because there are
limits to how fast any computer system will accept password attempts.
2. An encryption passphrase with anything much less than ~100-bits of
entropy is weak: because there is no hard limit on how fast an attacker
might try to crack it (buy more hardware, work in parallel).
Take a 2K word list. There are about 8 billion (2^33) possible
combinations of 3 words from this list. Add the 2 character prefixes and
you approach 2^40 possible combinations. Sounds like a lot but it's
still fewer than the entire DES keyspace (2^56). How random your
sequences are doesn't matter when the set of all possible sequences is
so weak.
And none (none!) of that applies to a password, used as a password, and
not recycled between different systems. You are talking about encryption
key passphrases, and your logic is sound in that case.
You are a proponent of ssh keys, right? And you encrypt yours, right?
And you use a passphrase...that has how much entropy? I bet less than
100-bits of entropy, because typing good passphrases is really hard. I
further bet that your key sits unencrypted much of the time because you
are too lazy to type even your poor passphrase every time you would have
to. Good passphrase hygiene is hard, much harder than good password hygiene.
Compared to a decent password (that isn't shared between systems*) ssh
keys solve a problem that doesn't exist, yet they create additional
problems that you ignore.
-kb
* On not recycling passwords: Everyone does it, I assume you do, too. So
if someone cracks into one system, yes they might crack into other
systems sharing that password. Well, it is unfair to blame your secret
password for the fact that you have been handing out copies of a
password you should have been keeping secret. The fix for this problem
is keep your password secret and not to recycle it between systems.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
