Educause Security Discussion mailing list archives
Re: Password entropy
From: Brent Sweeny <sweeny () INDIANA EDU>
Date: Wed, 19 Jul 2006 14:13:45 -0400
and it's even better if you substitute some non-letters for some of the letters/words... David Gillett wrote:
If I choose"1 am not going to PAY a lot for the muffler!"as my "passphrase", *I* will probably use "1angtPalftm" as the actual *password*. (Actually, that's only 11 characters, so I would use a different phrase -- perhaps a memorized bit of poetry or song lyrics.) So I'm not using it as an actual passphrase, but as a mnemonic. Knowing the phrase gets me the password, but knowing English doesn't much help someone crack it. (Letter frequencies can still be an issue -- but note that letter frequencies for initial (and terminal!!) position vary from the average for text....) But knowledge of words and grammar don't help, nor does a dictionary. David Gillett-----Original Message----- From: Basgen, Brian [mailto:bbasgen () PIMA EDU] Sent: Wednesday, July 19, 2006 10:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password entropysomething like "1 am not going to PAY a lot for themuffler!". It'seasy to remember, it's much longer, and therefore muchstronger, andit has a reasonable character set combination.Your quote above represents a mix of letters, case, numerals, and symbols. Assuming true randomness, that accounts for 96 characters possible, and you have 44 characters shown, which is 1.6 x 10^87 (a vigintillion). Mixing characters often gives a false sense of security due to math that assumes randomness. Since English has 500,000 words, a combination of just four words would give us 6.25 x 10^22 (sextillion) which is a great place to be for entropy. But even here, is the assumption of randomness correct? I don't think so. If we go on the assumption that most English speakers have a vocabulary of 50,000 words, and thus that users will create passwords for words they already know (thus the easy memorization argument), then a fifth word is required to produce great entropy (3.125 x 10^23). Yet, when dealing with sextillion combinations, wouldn't the rules of grammar restrict the amount of combinations? I don't know what that math would look like, but it seems that is a reasonable way to answer this debate between passwords and passphrases. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
Current thread:
- Re: Password entropy Basgen, Brian (Jul 19)
- <Possible follow-ups>
- Re: Password entropy Brent Sweeny (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
(Thread continues...)