[clue] My password rant

David L. Willson DLWillson at TheGeek.NU
Thu Aug 11 13:05:17 MDT 2011 

So, even though my password rant has been wrong all these years, I now feel the need to prove that I'm capable of learning.

So, with that, I'll show that I comprehend Randall Munroe's main point.

If my password is two numeric characters, it has a hardness of 100. 10 possible values, squared. 00 through 99.
If my password is 3 lower-case alphabetic characters, it has a hardness of 17576. 26 possible values, cubed. aaa through zzz.
If my password is 9 simple alphabetic-numeric-punctuation, it has a hardness of about 1000000000000000000, or 1e+18 in scientific notation. About 100 possible values, in each of 9 positions. "         " through "~~~~~~~~~".

The problem with that really hard, 9 character randomly-generated password, is that I can't remember it. I have to write it down somehow. I don't have to stick the note to my monitor, but I might think I should, if I'm careless or stupid.

Can I get a really hard password, that's easy to remember? According to XKCD (Randall Munroe), I can. He says 4 random words will be a good strong password, even if I only use lowercase+space.

So, I estimate that "four random word" pass-phrase strength this way:

Average word length = 5, plus 4 spaces. So, the password will be about 24 characters long. The first character will be a lower-case alpha, as will the last, the others can all be lower-case alpha, or a space. So, the password strength will be about 27^25*26^2, or 4.1e+38. WOW! That ~is~ strong!

But one might argue that by using words as tokens, a cracker could attack my password more effectively. Let's suppose that he knows I'm using dictionary words, which dictionary I'm using, and that I'm always using spaces between. Now, my supposed cracker has a relatively simple problem to solve, right?

Not so much... On my Ubuntu 10.04 system, /usr/share/dict/american-english has 98569 words. Yielding a password strength of 98569^4 or 9.4e+19. That's about 100 times stronger than my 9-character "strong by complexity" password!

OK, let's say I take an easier dictionary, with smaller words. The Quiddler dictionary only has "over 10K" words. Using it yields a much weaker password with a strenth of merely 10000^4 or 1.0e+16.

The key here is that the system behind has to support really long passwords, and I have to suppress the urge to outsmart the system by selecting a phrase well-known to me, that just might be well-known to my attacker.

If I'm energetic, I code up a random-word-selector.
If I'm lazy, I ask one of you-all to do it.
If I'm lazy and impatient, I find one online---
    http://www.random.org/lists/ (bring your own short dictionary)
    http://unique-names.com/random-word.php
---or install one from synaptic.
    dadadodo (bring your own text-book, something from Project Gutenberg might be nice)

David L. Willson
Trainer, Engineer, Enthusiast
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
tel://720.333.LANS
Freedom is better when you earn it. Learn Linux.

----- Original Message -----
> From: "Will" <will.sterling at gmail.com>
> To: "CLUE's mailing list" <clue at cluedenver.org>
> Sent: Thursday, August 11, 2011 7:04:15 AM
> Subject: Re: [clue] My password rant
> 
> 
> 
> Entopy is a measure of randomness. /dev/urandom spits out numbers as
> fast as it can and is said to have little entropy because patterns
> can be identified. /dev/random works much slower as it tries to be
> truley random and only spits out a number after it has collected
> enough data to generate a number that its developer feels can not be
> guessed and does not establish a pattern. This waiting period
> between numbers is typically reffered to as gathering entropy.
> 
> The use of the word entropy in the comic is a bit odd because his
> example passwords were not randomly generated but words with common
> substiutions. So even though one is longer then the other both would
> have almost no entropy.
> 
> His cracking assumption is that a brute force attack will be run
> against a poorly configured web service that does not lock accounts
> after a given number of failed attempts. So the best protection is
> to have a very long password with no dictionary words.
> 
> Regards,
> Will
> 
> 
> On Wed, Aug 10, 2011 at 8:20 PM, Mike Bean < beandaemon at gmail.com >
> wrote:
> 
> 
> 
> Maybe I am the novice, but I guess I don't really get it. There's a
> leap there. His "strong password" consists of a collection of 25
> characters of which there are 26 possibles, so if we're really
> talking about brute force guessing, how could 25 to the 26th power
> possible combinations be harder to guess then 60 or 70 (give or
> take) to the 26th power and some change?
> 
> 
> 
> I guess I'm new to crypto, but when you get right down to it, I don't
> really grok this concept of 28 bits of entropy versus 44 bits of
> entropy. What is entropy? (in the crypto sense)?? And how did he
> manage to calculate 28 bits v 44?? Is it just because there are more
> digits?
> 
> 
> Don't most competently configured systems lock you out after 10
> failed tries anyway?
> Normally I totally support XKCD, but honestly, I can tell there's
> more going on in strip 936 then I understand.
> 
> 
> Bean
> 
> 
> On Wed, Aug 10, 2011 at 5:20 PM, David L. Willson <
> DLWillson at thegeek.nu > wrote:
> 
> 
> 
> 
> 
> I'm never giving my password rant again. I'm just going to send a
> link to this XKCD, and wait a few minutes until my novice "gets it".
> 
> http://www.xkcd.com/936/
> 
> David L. Willson
> Trainer, Engineer, Enthusiast
> RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
> tel://720.333.LANS
> Freedom is better when you earn it. Learn Linux.
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
> 
> 
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
> 
> 
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue

More information about the clue mailing list