dantz
join:2005-05-09
Honolulu, HI | reply to Jack Morgan
Re: Passphrase strength, is this right? Sounds like you are considering a variation of the Diceware Passphrase approach. You should check out this page:
»world.std.com/~reinhold/diceware.html |
|
| ...... 1500 words means ~ 2^~10 bit of randomess, thus a 5 word from 'that dict' means ~ 2^53 bit of security
Given 2^~72 bit of security (RSA200 challenge) CAN be broken within 5 MONTHS with a array of computers... a 2^55 bit of security CAN BE BROKEN within 1/2 MIN!!!
BUT it is NOT THAT BAD compared to COMMON 8 chars of Upper/Lower Case + Numbers ONLY to log in to your WEBMAIL... it has 2^~45 bit of security only...
Just imagine... |
|
mysecPremium
join:2005-11-29
kudos:4 | reply to dantz
I couldn't get this link to open.
I'll try again later...
-rich |
|
dantz
join:2005-05-09
Honolulu, HI | said by mysec:I couldn't get this link to open. I'll try again later... -rich The link is still good. You can also type in »diceware.com and it will take you there.
Diceware uses a 7,776 word dictionary. Ordinary dice are used as a random-number generator in order to select each word that will be included in the passphrase. In my opinion, it's a highly effective system as well as a very clever solution to the problem of users failing to select high-quality passwords/passphrases. I especially like the use of dice as a random-number generator, as opposed to the pseudo-random numbers that most computers provide.
The advantage of using the Diceware method is that you can quickly and easily create strong passwords that can actually be remembered. However, this advantage quickly begins to fade if you need to remember more than one or two passwords, as human memory has its limits. (Maybe we need to add more RAM!)
I use KeePass to generate and store all of my passwords, and these are applied using copy/paste operations so I don't have to remember them or type them in, nor could I. (%kjC7UqOIBb'=&dc/w0,i*3Pwa}43 can barely be typed correctly on the first try, let alone remembered). All I have to know is my master password and the location of the keyfile. I suppose Diceware would be a good way to generate my master password, but I'm already using another system for that. |
|
|
|
