Dear list, I was studying this passphrase creation method called Diceware: http://world.std.com/~reinhold/diceware.html
In it, one rools a common dice five times, write down the results, in a sequential manner, and then check the suggested word in the DICTIONARY they provide. You got that? The method is supposed to give the user the words to use. Say your results were "5;6;1;5;3", then you check their table and the word listed under that number sequence is "sus"; well, that's the (pretty short) word to use in your passphrase. A 46,656 (6^6) word dictionary, publicly available. The method is clearly one bad choice for password creation but it's fairly acceptable for obtaining passphrases and concerning the latter, it assumes that eventual attackers know the referred dictionary, however offering a low guessing probability (high information entropy) for passphrases. Despite the "rite of passage" idea in which the target stops trying to hide and starts expecting attacks as a certainty, my point here is legal. Doesn't adopting the Diceware method in a, say, government corporative environment means legalizing brute force attacks? Yours faithfully, -- Marcio Barbado, Jr. "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
