<div>Entopy is a measure of randomness. /dev/urandom spits out numbers as fast as it can and is said to have little entropy because patterns can be identified. /dev/random works much slower as it tries to be truley random and only spits out a number after it has collected enough data to generate a number that its developer feels can not be guessed and does not establish a pattern. This waiting period between numbers is typically reffered to as gathering entropy.</div>
<div> </div><div>The use of the word entropy in the comic is a bit odd because his example passwords were not randomly generated but words with common substiutions. So even though one is longer then the other both would have almost no entropy.</div>
<div> </div><div>His cracking assumption is that a brute force attack will be run against a poorly configured web service that does not lock accounts after a given number of failed attempts. So the best protection is to have a very long password with no dictionary words.</div>
<div> </div><div>Regards,</div><div>Will<br><br></div><div class="gmail_quote">On Wed, Aug 10, 2011 at 8:20 PM, Mike Bean <span dir="ltr"><<a href="mailto:beandaemon@gmail.com">beandaemon@gmail.com</a>></span> wrote:<br>
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;" class="gmail_quote"><div>Maybe I am the novice, but I guess I don't really get it. There's a leap there. His "strong password" consists of a collection of 25 characters of which there are 26 possibles, so if we're really talking about brute force guessing, how could 25 to the 26th power possible combinations be harder to guess then 60 or 70 (give or take) to the 26th power and some change? <br>
</div><div><br></div><div>I guess I'm new to crypto, but when you get right down to it, I don't really grok this concept of 28 bits of entropy versus 44 bits of entropy. What is entropy? (in the crypto sense)?? And how did he manage to calculate 28 bits v 44?? Is it just because there are more digits?</div>
<div><br></div><div>Don't most competently configured systems lock you out after 10 failed tries anyway?</div><div>Normally I totally support XKCD, but honestly, I can tell there's more going on in strip 936 then I understand.</div>
<div><br></div><font color="#888888"><div>Bean</div><br></font><div class="gmail_quote"><div class="im">On Wed, Aug 10, 2011 at 5:20 PM, David L. Willson <span dir="ltr"><<a href="mailto:DLWillson@thegeek.nu" target="_blank">DLWillson@thegeek.nu</a>></span> wrote:<br>
</div><div><div></div><div class="h5"><blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;" class="gmail_quote">
I'm never giving my password rant again. I'm just going to send a link to this XKCD, and wait a few minutes until my novice "gets it".<br>
<br>
<a href="http://www.xkcd.com/936/" target="_blank">http://www.xkcd.com/936/</a><br>
<br>
David L. Willson<br>
Trainer, Engineer, Enthusiast<br>
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP<br>
tel://720.333.LANS<br>
Freedom is better when you earn it. Learn Linux.<br>
_______________________________________________<br>
clue mailing list: <a href="mailto:clue@cluedenver.org" target="_blank">clue@cluedenver.org</a><br>
For information, account preferences, or to unsubscribe see:<br>
<a href="http://cluedenver.org/mailman/listinfo/clue" target="_blank">http://cluedenver.org/mailman/listinfo/clue</a><br>
</blockquote></div></div></div><br>
<br>_______________________________________________<br>
clue mailing list: <a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br>
For information, account preferences, or to unsubscribe see:<br>
<a href="http://cluedenver.org/mailman/listinfo/clue" target="_blank">http://cluedenver.org/mailman/listinfo/clue</a><br></blockquote></div><br>