someone figured out my email address

Matt Graham danceswithcrows at usa.net
Wed Nov 23 16:36:04 MST 2011


From: Technomage Hawke
> was that a comic page? I tried to find more than the apology there
> for the arguments about password security but I was confronted
> with the bane of every blind person: images that aren't
> descriptive.

Take a reasonably common password, like "troubaD0r&3".  There are about 28
bits of entropy in that password; 11 for a reasonably random dictionary word,
a few extra for replacing chars with numbers, a few extra for having a capital
letter, and a few more for a random punctuation char and a number.  2^28 bits
of entropy at 1000 guesses per second = 3 days to crack the password.  And
it's hard to remember.  Was it trombone?  Or troubador?  And which O was a
zero?  And there was some symbol....

Take a different password, like "correct horse battery staple".  4 common
English words, in a random order.  This is 44 bits of entropy.  2^44 bits of
entropy at 1000 guesses per second = 550 years.  So it's hard to guess.  Is it
easy to remember?  You've already memorized it!

Through 20 years of effort, we've trained people to use passwords that are
hard for humans to remember, but comparatively easy for machines to guess.

This is not entirely serious (big surprise in a comic strip!)  Some systems
have a max password length, and the number of bits of entropy in those
passwords is very open to debate.  This didn't stop me from writing
"correcthorsebatterystaple.php", which picked 20 random words from
/usr/share/dict/words and spat them to stdout.  What do you mean "viridian
Syria cacomixl devilfish" isn't going to work on older Active Directory
systems?  Also, if you have to type in a password ~50 times a day, it's easier
if it's short.

-- 
Matt G / Dances With Crows
The Crow202 Blog:  http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see



More information about the PLUG-discuss mailing list