-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 lo,
On Wednesday 18 January 2006 04:09, Marius Mauch wrote: > Well, hard to say what would be more secure, that is certainly true. > just pointing out that > 12*[a-zA-Z] offers about 10.000-100.000 times more combinations than > 8*[a-zA-Z0-9<special-chars>]: > 52^12 = 390,877,006,486,250,192,896 ~ 3.9*10^20 > 95^8 = 6,634,204,312,890,625 ~ 6.6*10^15 > (assuming 33 special chars, could be a few more or less). > > And for completeness: > 52^8 = 53,459,728,531,456 ~ 5.3*10^13 > 95^12 = 540,360,087,662,636,962,890,625 ~ 5.4*10^23 > > As said, that doesn't relate to practical security, just shows that in > theory changing the password length does more in terms of complexity > than changing the set of allowed chars. > And every combinational restriction added again decreases the > complexity. Very true, but it also works with minimum length as well. Consider that if you FORCE users to use a passphrase (say min length of 15 chars) then with very few exceptions they will just use recognisable dictionary words. So while the theoretical amount of possibilities is a lot higher, in reality a well written brute force application would find it no harder in practise to compromise the passwords. If you are concerned about password security then get away from it. Look at something like : http://www.wikidsystems.com I'm going to try and get it into the tree over the next few weeks. - -- Benjamin Smee (strerror) crypto/forensics/netmail/netmon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.20 (GNU/Linux) iD8DBQFDzjL4AEpm7USL54wRAswXAKCHbfOU2yjgULabODq9mMMQyhMnyQCdFrf3 0utBEgSSiWTJKbgM/ESLguk= =IcDn -----END PGP SIGNATURE----- -- [email protected] mailing list
