Crap...I now have to change my password again... From: Jon Harris [mailto:[email protected]] Sent: Wednesday, August 10, 2011 6:44 PM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords
If the in-house team ever got a round to it both could be kept happy but using something like "Horses like 2 fly, like bugs like to be stepped on!" Complex and easy to remember. How long would that take for a brute force attack or a dictionary attack to get the password? FYI that is NOT one of my passwords! Jon On Wed, Aug 10, 2011 at 6:10 PM, Webster <[email protected]<mailto:[email protected]>> wrote: Because the security team and or auditor are simply following a check list. Complex passwords required - check. My job is done. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Steve Kradel [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, August 10, 2011 5:06 PM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords It looks like Randall @ xkcd supposes each word in "correct horse battery staple" has 11 bits of entropy, which is to say, the person choosing the password has a comfortable vocabulary of 2^11 (2,048) words from which he will pick four at random. (2048^4 is the same as 2^44.) I think 2,048 words is a pretty low estimate, at least in English, but that's not really the point... On the other hand, he suggests forcing people to choose "strong" passwords presses humans into a doofy pattern that is actually much *less* random than four dictionary words. 16 bits of uncertainty for the "uncommon base word" means the user has possibly picked a "difficult" dictionary word (from a vocabulary of 2^16 = 65,536 words -- generously more than a normal person knows), and then mangles it up a little bit in semi-predictable ways to satisfy the password strength checker. It definitely raises an interesting question... why do so many organizations elect for minimum 8-character complex passwords, instead of "non-complex" passphrases of at least 16 or 20 characters, when the latter would be easier to remember and probably stronger? --Steve On Wed, Aug 10, 2011 at 5:33 PM, Crawford, Scott <[email protected]<mailto:[email protected]>> wrote: Interesting. I'd like to understand how the bits of entropy are calculated though. From: Andrew S. Baker [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, August 10, 2011 4:06 PM To: NT System Admin Issues Subject: Almost, but not quite OT: Passwords http://xkcd.com/936/#<http://xkcd.com/936/> Yet, very pertinent. ASB http://about.me/Andrew.S.Baker Harnessing the Advantages of Technology for the SMB market... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
