Re: Length vs Complexity

[Walter Goulet <wgoulet () gmail com>]

Thanks for the corrections; I almost never refer to numbers that
large:) But hopefully the point I was making is clear...

On Thu, Sep 16, 2010 at 3:41 PM, DA <kirpag () gmail com> wrote:
> @Walter : I think you meant 62^12 would generate a keyspace of 3 sextillion
> and not trillion. Also, 128^8 is roughly 72 quadrillion, not quintillion.
> Just FYI, from what you had written, a quintillion is more than a trillion
> and you were seemingly contradicting yourself.
> But yes, as Razzell said, increasing the length might make more sense since
> while it might just be a set of conjugated words from the dictionary with
> variations of any sort, or potentially just random letters in the ASCII
> keyspace, an attacker usually does not have an idea of whether it is the one
> or the other. For instance, if the password is just d!8%30* and the attacker
> assumes its a long password restricted to letters and digits, he would never
> find the same. Similarly, if he assumes the entire ASCII alphabet as his
> keyspace, then for a simple password like LoveMy3DogsAnd2Cats, he might have
> to go through 128^19 combinations to get there...I wouldn't consider waiting
> really...not even with a day off.
> No, really...
>
> The question really should be, how often does the attacker know the nature
> of your password? Or given a random victim, is it possible to determine the
> targets password format (simple letters+digits, or highly conjugated &
> random) ? This would lead us back to answering if a simpler longer password
> is really much more effective or not regardless of the potentially larger
> keyspace it may have. I think its highly unlikely that the format can be
> ascertained very easily but i'd like to know if there is some method to do
> that.
> Regards,
> - K
> [DA]
>
>
>
> On Thu, Sep 16, 2010 at 11:45 PM, Walter Goulet <wgoulet () gmail com> wrote:
> > I would agree with your argument; longer passwords will create a
> > larger keyspace more rapidly than a shorter password with more
> > complexity rules.
> >
> > The way I think about it is like this:
> >
> > A 8 character password that is restricted to the 52 upper/lowercase
> > letters plus valid digits 0-9 is going to have a total of 62 possible
> > values for each position, for a total of 62^8 possible passwords (218
> > trillion or so). If you increase the length to just 12 characters, you
> > get like 62^12 or approx. 3 trillion possible password values.
> >
> > If you instead permit users to say use all printable ASCII characters
> > (128 possible values for each position), you are just changing the
> > base value (128^8 or 72 quintillion or so).
> >
> > So, by requiring longer passphrases you are exponentially increasing
> > the size of the keyspace.
> >
> > On Thu, Sep 16, 2010 at 12:01 PM, Mike Razzell <m.razzell () gmail com>
> > wrote:
> > > Users hear constantly that they should add complexity to their
> > > passwords, but from the math of it doesn't length beat complexity
> > > (assuming they don't just choose a long word)?  This is not to suggest
> > > they should not use special characters, but simply that something like
> > > Security.Basics.List would provide better security than D*3ft!7z.  Is
> > > that correct?
> > >
> > > Thanks,
> > > -Mike
> > >
> > > --
> > > Sent from my mobile device
> > >
> > > ------------------------------------------------------------------------
> > > Securing Apache Web Server with thawte Digital Certificate
> > > In this guide we examine the importance of Apache-SSL and who needs an
> > > SSL certificate.  We look at how SSL works, how it benefits your company and
> > > how your customers can tell if a site is secure. You will find out how to
> > > test, purchase, install and use a thawte Digital Certificate on your Apache
> > > web server. Throughout, best practices for set-up are highlighted to help
> > > you ensure efficient ongoing management of your encryption keys and digital
> > > certificates.
> > >
> > >
> > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL
> > certificate.  We look at how SSL works, how it benefits your company and how
> > your customers can tell if a site is secure. You will find out how to test,
> > purchase, install and use a thawte Digital Certificate on your Apache web
> > server. Throughout, best practices for set-up are highlighted to help you
> > ensure efficient ongoing management of your encryption keys and digital
> > certificates.
> >
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------