Re: Re: RE: ADS Password Storage Protection

["Gregory Rubin" <grrubin () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While dictionary attacks are very useful, the ease of remembering a
passphrase makes up for the difference (IMHO).  For example, take the
following passphrase (which I don't use anywhere):

Once upon a mid-night dreary while I pondered, "What's a door?"

Perfectly correct English and very easy to remember (especially if you
ever read the Mad spoof of "The Raven").  It also is 63 characters
long, mixed case, with symbols, and doesn't exist as a string in any
published text.  Is it really that vulnerable to dictionary attacks?

I can't remember highly complex passwords of more than about 8 to 12
characters.  Once I get too many of them, I need to start writing them
down unless I make them easy to remember, and with only 8 char. to
work with (as many of my passwords are restricticted in length) it is
very hard not to compromise the complexity while being easy to
remember.  On the other hand, I easily remember several different
passphrases of lengths ranging from 20 to (now) 63 and though there is
one that I haven't used in about a year, it is still fresh in my mind.
This reduces the problems of recording passwords in insecure
locations or needed passwords reset.

Greg

On 17 Jul 2006 19:55:09 -0000, eric.baechle () dhs gov
<eric.baechle () dhs gov> wrote:
> Winshel;
>
>
> Actually, a passphrase is not as secure as a random password.  As you probably have heard, "Don't use dictionary words" over and over again.  Even compound dictionary words 
> are bad, ie: "firedogdalmation".  Compounding dictionary words with spaces, punctuation, and even gramatically correct modifiers in between is really no different than without.  
> It's a very simple substitution to try; "firedogdalmation" and then try "fire dog dalmation", "Fire Dog Dalmation", "Dalmation the Fire Dog", 
> etc.
>
>
> Using compound dictionary words could come back to bite you very quickly, even when used in long phrases.
>
>
> Sincerely,
>
>
> Eric Baechle, CISSP/ISSEP, etc.
>
> Senior INFOSEC/OPSEC Engineer
>
> Department of Homeland Security
>
> ---------------------------------------------------------------------------
> This list is sponsored by: SensePost
>
> Hacking, like any art, will take years of dedicated study and
> practice to master. We can't teach you to hack. But we can teach you
> what we've learned so far. Our courses are honest, real, technical
> and practical. SensePost willl be at Black Hat Vegas in July. To see
> what we're about, visit us at:
>
> http://www.sensepost.com/training.html
> ---------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.11.9

iD8DBQFEvA7G5KDU23nQpRcRAibeAKDLSAujGr6/sPQb3xNObyz69QIVWwCfTk1c
N8T2LEwVcx4d+MWvaLau6tg=
=uL83
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------