Entropy of Pass-phrase vs pass-word?

The fear of every surveillance society: citizens protecting their own privacy with strong cryptography

Entropy of Pass-phrase vs pass-word?

Post by 0xBEEF1337 on Mon Aug 16, 2010 10:17 am
([msg=43811]see Entropy of Pass-phrase vs pass-word?[/msg])

Delete.
Last edited by 0xBEEF1337 on Sat Jan 29, 2011 3:23 pm, edited 1 time in total.
0xBEEF1337
Experienced User
Experienced User
 
Posts: 75
Joined: Wed Jul 07, 2010 11:34 pm
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by Pythous on Mon Aug 16, 2010 10:51 am
([msg=43813]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

I think that passphrases are very useful in creating strong passwords. However, a person would have to do a couple of things to get them to the level of a strong, 20+ character password, using punctuation, capitals, numbers, and whatnot.

The main thing is that they would have to make sure that it would be easy for them to remember, but not something that people would be able to guess. If your passphrase is your favorite quote, and you also put your favorite quote on the front of your Myspace page, it reduces it's security greatly.

The other thing that you would need to do would be to make it so that brute-force, dictionary, and other attacks won't work. If you use a long enough passphrase, with enough special characters, then your password is essentially safe from brute-force and dictionary.
A good way to do this would be to leet-speakify the passphrase, but with some other random characters that aren't necessarily leet-speak- just to be on the safe side ;).
We did not invent the algorithm.
The algorithm consistently finds Jesus.
The algorithm killed Jeeves.
The algorithm is banned in China.
The algorithm is from Jersey.
The algorithm constantly finds Jesus.
This is not the algorithm. This is close.
User avatar
Pythous
Experienced User
Experienced User
 
Posts: 75
Joined: Wed Dec 02, 2009 10:53 pm
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by tgoe on Tue Aug 17, 2010 3:30 am
([msg=43844]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

I think passphrases are a good idea. Requiring a passphrase forces people that
tend to choose weaker passwords to choose better passwords without really
thinking about it. I'd say most passwords are upper/lower letters and numbers 6
to 10 chars long.

Code: Select all
>>> (26*2+10)**6
56800235584
>>> (26*2+10)**10
839299365868340224


Not great in theory and even worse in practice. These average passwords are
probably also really weak passphrases.

Consider this advice associated with a password creation field: "Your password
should be at least 8 characters long, contain upper and lower case letters and
some numbers. Memorize it."

A user is probably more likely to come up with something like "M0onUn1t"
instead of "8KdyP5t0lQgg". From a purely brute force perspective "M0onUn1t" may
seem reasonable at over 218 trillion combinations before you're guaranteed to
crack it.

Code: Select all
>>> (26*2+10)**8
218340105584896


...but "M0onUn1t" is equal to the two word passphrase "moon unit" with the
right dictionary. Let's take that dictionary of 40000 common words and include
l33t-sp34k variations. Say this dictionary is now maybe 65000 entries or even
80000.

Code: Select all
>>> 65000 ** 2
4225000000
>>> 80000 ** 2
6400000000


You could probably bang that out within the day on an old computer.


That same user could be asked to create a passphrase with this advice instead:
"Create a passphrase at least 8 words long. Memorize it." The user might come
up with something like "lol frank zappa named a kid moon unit"... the bare
minimum. Brute forcing a string that long would be tough:

Code: Select all
>>> 27**37 # even if you know it's just lower letters and spaces
91297581665113611259115979754590511595360241199911147L


A dictionary approach isn't much better even if you know the passphrase is
minimum length and just common words:

Code: Select all
>>> 40000 ** 8
6553600000000000000000000000000000000L


:) I made a lot of assumptions here but I think even small passphrases are better
than trying to enforce strong passwords.
User avatar
tgoe
Contributor
Contributor
 
Posts: 633
Joined: Sun Sep 28, 2008 2:33 pm
Location: q3dm7
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by mRmasteRful on Tue Aug 17, 2010 3:38 am
([msg=43845]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

Yeah that last post just alerted me of how weak my passwords may be. I remember the days when my password used to be just six numbers. Pass-phrases sound like a good idea but only if the user doesnt get into the habit of letting the computer remember the passwords for them because then they wouldnt remember what they are.
mRmasteRful
Poster
Poster
 
Posts: 274
Joined: Fri Apr 02, 2010 11:53 pm
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by tremor77 on Tue Aug 17, 2010 10:57 am
([msg=43850]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

part of the onus should be on the logon developer.. failed attempt blocks, captchas, password strength meters and rules) should all be standard. And let's be brutally honest about brute force and password cracking.. i think that accounts for a small fraction of the password theft... where Phishing & Loggers and other methods seem to be the primary modus operandi to get someones account, after that.. subverting the logon process altogether... cracking and brute force are... to me atleast.. a last resort option. That being said.. from the standpoint of a new user.. I think passwords are better... they can use a more complex set of characters up to 14 characters in length (refer to research as to how human brains store bits of information and why telephone numbers are 7/10 digits, bank accounts are 10 digits and so on) and muscle memory from the repetition of typing it.... I think allows people to set something like IAm2S3xy4U! and be able to memorize it.. type it quickly and efficiently..

I don't think I really had a point to this reply... I'm just typing now... hrmm..
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 860
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by Draymire on Tue Aug 17, 2010 12:21 pm
([msg=43852]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

Somewhat related GPU's crack hashes

I agree that brute force/cracking passwords is not as common as a phishing site or as effective. 1 site can get several usernames and passwords, cracking gets one password per attempt.
Baba Ram Dass "The quieter you become, the more you can hear"
User avatar
Draymire
Poster
Poster
 
Posts: 129
Joined: Sun Nov 22, 2009 12:01 am
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by 0xBEEF1337 on Tue Aug 17, 2010 8:24 pm
([msg=43872]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

Delete.
Last edited by 0xBEEF1337 on Sat Jan 29, 2011 3:23 pm, edited 1 time in total.
0xBEEF1337
Experienced User
Experienced User
 
Posts: 75
Joined: Wed Jul 07, 2010 11:34 pm
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by sanddbox on Wed Aug 18, 2010 2:59 am
([msg=43875]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

0xBEEF1337 wrote:That brings up the point of key-loggers, where it's harder to pick out a random statement than it is a cryptic looking mash of special characters.

What other vectors aren't we thinking about here? I'd like to compile the points together and evaluate them...


People would...probably...be more likely write down a passphrase (assuming it wasn't a quote or "1 2 3 4").
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by tremor77 on Wed Aug 18, 2010 9:03 am
([msg=43886]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

sanddbox wrote:People would...probably...be more likely write down a passphrase (assuming it wasn't a quote or "1 2 3 4").


At the very least the passphrase might be something visible from the users position. Assuming I had to make a passphrase right now I'd look around my office... where I have a tendency to save the cool fortune cookie fortunes I get when I order Chinese.. I have several taped to my monitor.. like "It is better to be happy than wise", "A day is a span of time no one is wealthy enough to waste", and "You will soon have the opportunity to improve your finances." The 3rd has not yet happened.

I do find in my workplace, as we strictly enforce a secure password policy.. 9/10 users have their password written down, many in plain site.. because.. the average user is blatantly lazy. Yellow sticky note on the monitor. My boss.. feels he is clever, his is under the keyboard.

But the written down password or passphrase only assists in on location theft. Unless you are Lord Nikon.
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 860
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: Entropy of Pass-phrase vs pass-word?

Post by 0xBEEF1337 on Wed Aug 18, 2010 1:19 pm
([msg=43894]see Re: Entropy of Pass-phrase vs pass-word?[/msg])

Delete.
Last edited by 0xBEEF1337 on Sat Jan 29, 2011 3:23 pm, edited 1 time in total.
0xBEEF1337
Experienced User
Experienced User
 
Posts: 75
Joined: Wed Jul 07, 2010 11:34 pm
Blog: View Blog (0)


Next

Return to Crypto

Who is online

Users browsing this forum: No registered users and 0 guests