[clue] My password rant
Will
will.sterling at gmail.com
Thu Aug 11 07:04:15 MDT 2011
Entopy is a measure of randomness. /dev/urandom spits out numbers as fast
as it can and is said to have little entropy because patterns can be
identified. /dev/random works much slower as it tries to be truley random
and only spits out a number after it has collected enough data to generate a
number that its developer feels can not be guessed and does not establish a
pattern. This waiting period between numbers is typically reffered to as
gathering entropy.
The use of the word entropy in the comic is a bit odd because his example
passwords were not randomly generated but words with common substiutions.
So even though one is longer then the other both would have almost no
entropy.
His cracking assumption is that a brute force attack will be run against a
poorly configured web service that does not lock accounts after a given
number of failed attempts. So the best protection is to have a very long
password with no dictionary words.
Regards,
Will
On Wed, Aug 10, 2011 at 8:20 PM, Mike Bean <beandaemon at gmail.com> wrote:
> Maybe I am the novice, but I guess I don't really get it. There's a leap
> there. His "strong password" consists of a collection of 25 characters of
> which there are 26 possibles, so if we're really talking about brute force
> guessing, how could 25 to the 26th power possible combinations be harder to
> guess then 60 or 70 (give or take) to the 26th power and some change?
>
> I guess I'm new to crypto, but when you get right down to it, I don't
> really grok this concept of 28 bits of entropy versus 44 bits of entropy.
> What is entropy? (in the crypto sense)?? And how did he manage to
> calculate 28 bits v 44?? Is it just because there are more digits?
>
> Don't most competently configured systems lock you out after 10 failed
> tries anyway?
> Normally I totally support XKCD, but honestly, I can tell there's more
> going on in strip 936 then I understand.
>
> Bean
>
> On Wed, Aug 10, 2011 at 5:20 PM, David L. Willson <DLWillson at thegeek.nu>wrote:
>
>> I'm never giving my password rant again. I'm just going to send a link to
>> this XKCD, and wait a few minutes until my novice "gets it".
>>
>> http://www.xkcd.com/936/
>>
>> David L. Willson
>> Trainer, Engineer, Enthusiast
>> RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
>> tel://720.333.LANS
>> Freedom is better when you earn it. Learn Linux.
>> _______________________________________________
>> clue mailing list: clue at cluedenver.org
>> For information, account preferences, or to unsubscribe see:
>> http://cluedenver.org/mailman/listinfo/clue
>>
>
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20110811/6bb2d3f5/attachment.html
More information about the clue
mailing list