Re: Diceware method adoption - brute force me if you dare

[jf <jf () danglingpointers net>]

police officers (in the states) wear bullet proof vests because there is a
high probability of them getting shot/shot at, do you think that somehow makes it legal?


On Wed, 12 Mar 2008, M.B.Jr. wrote:

> Date: Wed, 12 Mar 2008 16:15:56 -0300
> From: M.B.Jr. <marcio.barbado () gmail com>
> To: Full-Disclosure mailing list <full-disclosure () lists grok org uk>
> Subject: [Full-disclosure] Diceware method adoption - brute force me if you
>     dare
>
> Dear list,
> I was studying this passphrase creation method called Diceware:
>
> http://world.std.com/~reinhold/diceware.html
>
> In it, one rools a common dice five times, write down the results, in
> a sequential manner,  and then check the suggested word in the
> DICTIONARY they provide.
> You got that? The method is supposed to give the user the words to use.
>  Say your results were "5;6;1;5;3", then you check their table and the
> word listed under that number sequence is "sus"; well, that's the
> (pretty short) word to use in your passphrase.
> A 46,656 (6^6) word dictionary, publicly available. The method is
> clearly one bad choice for password creation but it's fairly
> acceptable for obtaining passphrases and concerning the latter, it
> assumes that eventual attackers know the referred dictionary, however
> offering a low guessing probability (high information entropy) for
> passphrases.
>
> Despite the "rite of passage" idea in which the target stops trying to
> hide and starts expecting attacks as a certainty, my point here is
> legal.
> Doesn't adopting the Diceware method in a, say, government corporative
> environment means legalizing brute force attacks?
>
> Yours faithfully,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/