Agreed using sentences makes sense and with simple replacement of a couple of words I would think make them very hard to break without social engineering. User training will help with even that aspect.
Jon On Wed, Aug 10, 2011 at 6:47 PM, Kurt Buff <[email protected]> wrote: > My last two password were in this form: > > X xxx'x xxxxxxxxxx xxxxxxxxxx. > > and > > Xxxxxxx xx xxxxxx, xxx xxxx. > > Simple, straightforward sentences of 29 and 31 characters respectively. > Easy to type and remember, and while I don't have the time to calculate > their bits of entropy, I'll bet it's fairly high. > > Kurt > > > On Wed, Aug 10, 2011 at 15:06, Steve Kradel <[email protected]> wrote: > >> It looks like Randall @ xkcd supposes each word in "correct horse battery >> staple" has 11 bits of entropy, which is to say, the person choosing the >> password has a comfortable vocabulary of 2^11 (2,048) words from which he >> will pick four at random. (2048^4 is the same as 2^44.) I think 2,048 >> words is a pretty low estimate, at least in English, but that's not really >> the point... >> >> On the other hand, he suggests forcing people to choose "strong" passwords >> presses humans into a doofy pattern that is actually much *less* random than >> four dictionary words. 16 bits of uncertainty for the "uncommon base word" >> means the user has possibly picked a "difficult" dictionary word (from a >> vocabulary of 2^16 = 65,536 words -- generously more than a normal person >> knows), and then mangles it up a little bit in semi-predictable ways to >> satisfy the password strength checker. >> >> It definitely raises an interesting question... why do so many >> organizations elect for minimum 8-character complex passwords, instead of >> "non-complex" passphrases of at least 16 or 20 characters, when the latter >> would be easier to remember and probably stronger? >> >> --Steve >> >> >> On Wed, Aug 10, 2011 at 5:33 PM, Crawford, Scott >> <[email protected]>wrote: >> >>> Interesting. I’d like to understand how the bits of entropy are >>> calculated though.**** >>> >>> ** ** >>> >>> *From:* Andrew S. Baker [mailto:[email protected]] >>> *Sent:* Wednesday, August 10, 2011 4:06 PM >>> *To:* NT System Admin Issues >>> *Subject:* Almost, but not quite OT: Passwords**** >>> >>> ** ** >>> >>> http://xkcd.com/936/# <http://xkcd.com/936/> >>> **** >>> >>> ** ** >>> >>> Yet, very pertinent.**** >>> >>> ** ** >>> >>> ** ** >>> >>> ** ** >>> >>> ** ** >>> >>> *ASB***** >>> >>> *http://about.me/Andrew.S.Baker***** >>> >>> *Harnessing the Advantages of Technology for the SMB market…***** >>> >>> ** >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
