|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Does restricting partial words weaken passwords?
|
On Thu, Nov 29, 2001 at 03:28:17PM -0500, Darxus@chaosreigns.com wrote:
> At the picnic it was suggested that disallowing passwords which contained
> dictionary words would reduce the strength of the password, by reducing the
> number of possible passwords. The question was, how effective would a
> reverse dictionary attack be ?
I strongly disagree with that assertion.
First, assume that you are limited to 26 possible choices per character
for an eight-character password. (We're assuming single-case
alphabetics here.) That means that there are 26^8 possible passwords
(for a set of 26 to choose from, there are 26^8 different permutations
out there). Now:
-> For reference:
bj@epoch:~$ wc -l /usr/share/dict/words
45392 /usr/share/dict/words
-> How many eight-character words are there in our dictionary?
bj@epoch:~$ grep -c '^........$' /usr/share/dict/words
7076
-> Let's run some calculations:
bj@epoch:~$ bc
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
26^8
208827064576
-> That's a lot of potential passwords! :) Let's see what percentage
of these we're eliminating...
scale=10
7076/208827064576
.0000000338
-> Hmm. .00000338% of the set of passwords have been eliminated. But
what if we throw in 100,000 more, to account for, say, common
misspellings, passwords that consist of a single character repeated
eight times, passwords consisting of sequential letters (abcdefgh
and the like), and other assorted things we don't want?
107076/208827064576
.0000005127
-> We've eliminated .0000005127% of possible eight-character passwords.
But perhaps our dictionary doesn't include all the different valid
eight-character English words. After all, such things as plurals
are determined algorithmically. While we're at it, let's bump it up
from 100,000 to 1,000,000; we're going to install a few
foreign-language dictionaries too.
1007076/208827064576
.0000048225
-> Let's be real password Nazis and disallow the number of words in our
dictionary plus one billion more potential passwords:
1000007076/208827064576
.0047886852
We're still left with over 99.5% of all eight-character passwords at our
disposal. And this is just with 26 characters to choose from for our
password. In actuality, I count 47 "regular printed character" keys on
my keyboard, which gives you 94 characters when combined with the shift
key. Plug 94^8 into the last calculation instead of 26^8 and you get
.00001640%. Add a trillion instead of a billion to our number of
diallowed passwords and you get .01640503%.
Password crackers *love* dictionary attacks. :)
--
Bill Jonas * bill@billjonas.com * http://www.billjonas.com/
"As we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously." -- Benjamin Franklin
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|