dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
11
share rss forum feed


Ian
Premium
join:2002-06-18
ON
kudos:2

1 recommendation

reply to DannyZ

Re: Good Passwords Made Easy

That cartoon always annoys me. It's wildly incorrect unless you assume that password crackers always use brute-force. And since they don't, it's a terrible assumption.

Dictionary based attacks WILL assume that you might string one, two, three, four, five..... common english words together to form a pass-phrase. The estimation of the entropy differences here is wildly optimistic. That said, four english words is still a pretty good password.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong



DannyZ
Gentoo Fanboy
Premium
join:2003-01-29
Erie, PA

I use strings of words with different languages mixed in sometimes. I think it's pretty secure.



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Ian

said by Ian:

That cartoon always annoys me. It's wildly incorrect unless you assume that password crackers always use brute-force. And since they don't, it's a terrible assumption.

Dictionary based attacks WILL assume that you might string one, two, three, four, five..... common english words together to form a pass-phrase. The estimation of the entropy differences here is wildly optimistic. That said, four english words is still a pretty good password.

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999

Airtj

join:2001-08-08
Clifton, VA

I too use lastpass but with Google Authenticator.

I recall reading something in this forum on how to create good passwords. Something you can easily remember lets say Nissan for a car you own and the model is lets say 300zx.

You then include the site you are accessing and put them together. That way you can easily remember each password for each site.

So using that example the password here would be:

NissanBroadBand300zx

Gmail would be

NissanGmail300zx

Or something like that, depending on where you place each item and if you capitalize them or not.



Ian
Premium
join:2002-06-18
ON
kudos:2
reply to KodiacZiller

said by KodiacZiller:

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.

I'm aware of that. But that wasn't the complexity calculation used by the cartoon author.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

1 recommendation

Rule of Thumb: if you need a NYT article to tell you the rules about passwords, you are already doomed.
--
* seek help if having trouble coping
--Standard disclaimers apply.--



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Ian

said by Ian:

said by KodiacZiller:

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.

I'm aware of that. But that wasn't the complexity calculation used by the cartoon author.

Maybe not, but the diceware method is still the best way to create strong passwords that are easy to remember.

For example, let's say that you have a word list of 10,000 English words to choose from. Let's further assume your adversary *knows* that you used this list. Here's the entropy for passwords made with different lengths:

4 words = 53 bits
5 words = 66 bits
6 words = 80 bits
7 words = 93 bits

So you'll need at least 6 words to be sure that the password won't be cracked. 80 bits is plenty strong. The nice thing about this is the adversary can know the wordlist and it doesn't matter as long as your password is long enough and chosen *randomly*.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

Now if only we could get all websites to accept the long passwords required for such an approach.



Ian
Premium
join:2002-06-18
ON
kudos:2

said by sivran:

Now if only we could get all websites to accept the long passwords required for such an approach.

Well, that and the fact that typing in a 6 word password is a little on the cumbersome side.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to sivran

said by sivran:

Now if only we could get all websites to accept the long passwords required for such an approach.

Amen. There should be no limit on length, other than maybe less than 256. It ticks me off that I can only have a 12 character password on my 401k, as I've moved up to 15 character passwords.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein