Educause Security Discussion mailing list archives
Re: Password entropy
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 20 Jul 2006 10:18:12 -0700
Roger,
Passphrase_Length_and_Complexity_Considerations.xls If the sheet is incorrect, I'd like to know.
Nice find! The sheet is 2 years old, so the processing numbers need to be updated, and the sheet is misleading about entropy, since he is assuming a password cracker that uses brute force. On that assumption, entropy is near 99%, excepting that even a 'random' brute force crack is not exactly random. Thus, his comparison to pass phrases is equally problematic. In other words, it is challenging to account for real world math on password crackers without being accurate as to the cracking method (pattern matching in particular, which all modern crackers do in some form), and thus his generic approach misses that real-world gap while creating a false theoretical gap with the entropy variable. All in all though, I think this is a good resource. It is a reasonable and commendable attempt to create some ground on a complex issue, but it could use a disclaimer. ;) ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
-----Original Message----- From: Roger Safian [mailto:r-safian () NORTHWESTERN EDU] Sent: Wednesday, July 19, 2006 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password entropy BTW - you can download Passphrase_Length_and_Complexity_Considerations.xls from <http://www.shiloh.k12.il.us/tech/feast2006/Scripting/JasonFos senScripts/Day6--Scripting/> If the sheet is incorrect, I'd like to know. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Harold Winshel (Jul 20)
- Re: Password entropy Graham Toal (Jul 21)
- Re: Password entropy Roger Safian (Jul 21)
- Re: Password entropy Valdis Kletnieks (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Roger Safian (Jul 23)
- Re: Password entropy Paul Russell (Jul 23)
(Thread continues...)