On Tue, Apr 26, 2011 at 2:36 PM, Aaron Toponce <[email protected]> wrote: > > No, not by a long shot. Because the length of your password could be > infinite, this makes the number of possibilities infinite, even in one > direction. But even using limited length, say 20, you still have billions > upons billions of combinations based on starting location, and direction > traveled. No dictionary attack is feasible with this card.
Passwords are not infinite in length. I have never once found a system that allows me to choose a password of arbitrary length. Every one I have encountered has a hard upper limit on the length, usually 16-20, some (including some banks--shudder!) as short as 8. If you're already needing to use a card like this as a memory aid for your passwords, you're very likely to go in a straight line--vertical, horizontal, or diagonal. Memorizing a convoluted path would be harder, and why bother when you have such a great starting aid to occlusion in the first place. Furthermore, if someone is extremely paranoid enough to use this *plus* a convoluted path, it seems to me that if they have the memory skills to remember the path as well they likely wouldn't need the card in the first place. Thus I'd wager that for most people the card yields a finite number of say 20-character words, of which any length could be a possible password--but if we assume a minimum of 6 characters, that means we get 15 possible word lengths for each direction from each starting position--thus 6x15x29x8 = a 20880 word dictionary--less than half the size of the small dictionary that comes with crack lib--a very feasible dictionary as a starting point. But, as posted earlier, if you change your passwords as soon as you discover that your card has been lost or compromised (assuming you could know someone copied it?), you're likely to head off any dictionary attack in progress before it succeeds. So, all in all I now think that the passwordcard is a decent way to go. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
