Re: [PLUG] Does restricting partial words weaken passwords?

gabriel rosenkoetter on Thu, 30 Aug 2001 01:30:52 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Does restricting partial words weaken passwords?

From: gabriel rosenkoetter <gr@eclipsed.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Does restricting partial words weaken passwords?

Date: Wed, 29 Aug 2001 16:52:38 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.2.5i

On Thu, Nov 29, 2001 at 03:28:17PM -0500, Darxus@chaosreigns.com wrote: > At the picnic it was suggested that disallowing passwords which contained > dictionary words would reduce the strength of the password, by reducing the > number of possible passwords. The question was, how effective would a > reverse dictionary attack be ? That's an interesting theory. I don't agree with the math that was in Dave's post, though. Did it include numerals? Shifted numerals? Count upper- and lower-case letters as the same or different? What about control characters, some of which are A-OK in a password, and which I frequently use? To do this right, you really have to base your search space not on natural language but on ASCII codes, removing the ones that are not useable, like ^M, ^J, ^C, ^[, ^H, ^V, and anything it's not possible to issue with a keystroke (0x00 through 0x06, if memory serves), but including everything you can get with the meta-key and so forth (that is, everything upwards of 0x7F; note that that more than doubles your character search space). Yes, I really do use these characters in passwords and -phrases. Routinely. I would point out that the password that you are "limited" to by this take significantly longer to brute force than ones that you can reach with a dictionary attack. I'd also like to reiterate that if anyone ever gets their hands on your encrypted password file, you might as well consider yourself already screwed and throw in the towel. The point of strong passwords is so that random typing (al Swordfish) doesn't get anybody anywhere. And picking a password like that from the search space "limited" by removing words (or word-fragments) is easy. -- ~ g r @ eclipsed.net ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

References:

[PLUG] Does restricting partial words weaken passwords?
From: Dave Turner <novalis@novalis.org>

Re: [PLUG] Does restricting partial words weaken passwords?
From: gabriel rosenkoetter <gr@eclipsed.net>

Re: [PLUG] Does restricting partial words weaken passwords?
From: Darxus@chaosreigns.com

Prev by Date: Re: [PLUG] Does restricting partial words weaken passwords?

Next by Date: [PLUG] routing help for a 2-nic RH7.0 gateway

Previous by thread: Re: [PLUG] Does restricting partial words weaken passwords?

Next by thread: Re: [PLUG] Does restricting partial words weaken passwords?

Index(es):

Date

Thread