Security Basics mailing list archives
Re: Password alternatives
From: Brent Gardner <brent.gardner () gmail com>
Date: Wed, 31 Mar 2010 14:31:58 -0700
Ansgar Wiechers wrote:
Although passphrases are easier to remember, the "harder to guess and crack" is something I'm not entirely convinced of. Usually I see this claim being based on the assumption that an attacker will treat passphrases as a string of characters, just like passwords. But what if we consider both passwords and passphrases as strings of tokens? Passwords are constructed of character tokens, whereas passphrases are constructed of word (and perhaps interpunction) tokens. Basically the number of tokens available (n) and the number of tokens used (k) define the total amount of available passwords/-phrases (n^k), and thus the strength of the password or -phrase. If we consider this, a 5-token passphrase will still be more secure than a 5-token password, because the number of characters readily available through a user's keyboard (n[password]) will usually be around 100 characters, while the number of words in a language (n[passphrase]) exceeds this by several orders of magnitude. However, a 5-token passphrase with a total length of 20 characters will *not* have the same strength as a 20-character password, even though both of them consist of 20 characters. The strength of a passphrase will be reduced further, if we take proper grammar rules into account, as that will restrict which tokens can be used at any given position. I don't have any numbers how much this effectively would affect the strength of the passphrase, so if anyone knows of a paper or study on this matter, I'd be very much interested. People sure will argue that one can always "salt" a passphrase with some whitespace or special characters. However, keep in mind that an attacker usually doesn't need to attack a particular account, but can go for the weakest link. All of this said, passphrases most likely still are preferrable over passwords. They just may not be as secure as people think they are.
How does an attacker, when presented with nothing but a username field and a password field, know how strong the password is?
Brent Gardner ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Password management System, (continued)
- Re: Password management System mailing lists (Mar 26)
- Re: Password management System John Morrison (Mar 26)
- Re: Password management System Samantha Fetter (Mar 29)
- Re: Password management System Marc-André Laverdière (Mar 26)
- Password alternatives WALI (Mar 29)
- RE: Password alternatives David Gillett (Mar 30)
- Re: Password alternatives Adam Mooz (Mar 30)
- Message not available
- Fwd: Password alternatives Kurt Buff (Mar 30)
- Re: Password alternatives John Morrison (Mar 30)
- Re: Password alternatives Ansgar Wiechers (Mar 31)
- Re: Password alternatives Brent Gardner (Mar 31)
- Password alternatives WALI (Mar 29)
- Re: Password alternatives Yousef Syed (Mar 31)
- Re: Password management System Lim Hock Leong (Mar 30)