Entropy of Pass-phrase vs pass-word?

The fear of every surveillance society: citizens protecting their own privacy with strong cryptography

Re: Entropy of Pass-phrase vs pass-word?

Post by Sector on Sun Sep 05, 2010 12:02 pm
([msg=45028]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

tremor77 wrote:I do find in my workplace, as we strictly enforce a secure password policy.. 9/10 users have their password written down, many in plain site.. because.. the average user is blatantly lazy. Yellow sticky note on the monitor. My boss.. feels he is clever, his is under the keyboard.


I feel your pain on this one. We have a similar setup in my workplace. Passwords must be of length 8+ with variations of alpha-numeric and punctuation characters.
But, as you so aptly put it, the average user is blatantly lazy, and so rather than memorise passwords that are harder to remember than 'my dog's name and my year of birth added to the end', those unaware of the necessity of password security have taken it upon themselves to pool their passwords (just incase personX is off is the logic...apparently) in a discretely hidden notepad... a copy of which resides on each persons desk, and often finds its way into their bags / other carrying medium at the end of the day.

Bearing in mind that we use 'forename.surname' as our userid syntax and each standard user has the ability to charge transactions to the company account and most PCs have RDP enabled.

Sorry to take this a little off-topic, but my point here being, that no amount of password strength, password or passphrase will matter when this kind of thing happens.
Sector
New User
New User
 
Posts: 30
Joined: Mon Jul 19, 2010 5:58 am
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by cilpolir on Sun Sep 05, 2010 1:53 pm
([msg=45042]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

Just wondering, how many people would take "veni vidi vici" as pass-phrase?
Image
User avatar
cilpolir
Poster
Poster
 
Posts: 214
Joined: Sat Sep 12, 2009 10:46 am
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by f1r3flie on Mon Oct 04, 2010 5:19 pm
([msg=47049]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

For a user other that you or I, a password will always be something extremely simple, such as M0onUn1t or equivelant. I wrote a program to randomly generate my password so it uses every key on my laptop keyboard, and made it 16 characters. I calculated that with 86 keys and 16 characters, 8953136790196197357146289012736 tries are necessary to break it (or 2992179271065856 for 8 characters). Say it's on my personal server, and at best, 100 million attempts can be made a second. This requires 89531367901961973571462 seconds for the 16 character, and 29921792 seconds for the 8 character, equivelant to just short of a year. So long as I replace my password at least that often, I'm safe.

To compare this to a passphrase, 40000 english words is equivelant to more than 2 characters, and so a four word passphrase is like an eight character password, and an eight word phrase is unbreakable.

EDIT: So long that the server uses a slow hash algorithm on the password with every attempt, and an attempt takes a second, you're brute force proof.
sanddbox wrote:TLDR: It will get better in the next 1000 posts or so.

My Operating Systems:
Ubuntu 10.10
Windows Vista
Mac OS X hackintosh
Backtrack 4
Ubuntu Server 9.04
Xubuntu 10.04
Windows XP
Backtrack 2
Ubuntu Server 9.10
f1r3flie
New User
New User
 
Posts: 15
Joined: Sun Sep 26, 2010 10:45 pm
Blog: View Blog (0)


Previous

Return to Crypto

Who is online

Users browsing this forum: No registered users and 0 guests