On Sun, Apr 17, 2011 at 6:41 PM, Alberto Trevino <[email protected]> wrote:
> > It mentions both dictionaries and common words actually. > > You are right. The author did mention using combination of common words. > However, I am very, very suspect of his numbers. > > In his example of the word "orange", he says it takes 3 minutes using > common words to crack. Yet, in his example of "alpine fun" he says it would > take two months and "this is fun" would take over 2,500 years. This is about > right, mathematically, but I suggest in practice, this is not the case. We > use a dictionary, either of all words or common words so that we don't have > to go through all theoretical possibilities. Therefore, trying to run an > attack with all possible combinations of all entries in the dictionary is a > non-optimal approach. I suggest using a "common phrase" dictionary instead. > I bet that would be quite efficient and cracking "this is fun" would only > take days, if not hours. > > And for those who know me well, yes, I think I know just how to do it. :-) > > I hate passwords/passphrases. Actually, I hate programmers who are idiots that program password/phrase requirements. I really hate when I can't use my strong password on banking website (where you should have a strong password) because they don't like punctuation marks (< whiny voice> Only numbers and letters please! </whiny voice>). I am so hoping for the day when single sign-on really goes somewhere, where I can trust one identity provider and know that only they ever have my password (better yet a certificate or key). Until then I still use random passwords with a mix of everything (some punctuation characters make cracking much more difficult and usually can only be cracked with expensive rainbow tables). The longer the password, the better (except for Windows LANMAN which anything more than 7 characters is useless) and I try to throw in as many numbers and symbols as possible. When using passphrases, it is still good to stay away from common words by applying the above technique and throw some double spaces in there to help against simply combining words. I really wish more web developers would take advantage of something like OpenID (although the username is a pain). Single signon comes with its share of issues too, but I would rather those then worrying who's crappy programming has my password in an insecure form on a poorly patched box. At least with single sign on, if they compromise the box, they can't do a whole lot. Robert
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
