Re: [PLUG] Does restricting partial words weaken passwords?

Darxus on Thu, 30 Aug 2001 07:10:14 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Does restricting partial words weaken passwords?

From: Darxus@chaosreigns.com

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Does restricting partial words weaken passwords?

Date: Fri, 30 Nov 2001 00:02:17 -0500

Mail-followup-to: plug@lists.phillylinux.org

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.2.5i

On 08/29, Dave Turner wrote: > Chance of password of n characters containing part of a dictionary word: > 3 = 42.75% I'd love to see your calculations. On 08/29, Bill Jonas wrote: > bj@epoch:~$ grep -c '^........$' /usr/share/dict/words > 7076 > 7076/208827064576 > .0000000338 That's just the percentage of passwords that exactly match dictionary words, not the number of passwords that contain dictionary words. I believe we all agree that, say, the number of possible lowercase, alphabetic-only possibiilties in an exactly 6 character password is 26^6. 26^6 308915776 I wrote a simple program to spit out all those 26^6 possibilities, called allpass.pl. Then I did: perl -e 'while (<>) { print lc; }' < /usr/share/dict/words | sort | uniq | grep '^.\{3,6\}$' > dict.lc.uniq.3-6 to generate a file called dict.lc.uniq.3-6 containing all 3 to 6 character passwords in the (debian american english v2.0-1) dictionary file, lowercased. Then I did: /usr/bin/time ./allpass.pl | fgrep -vf dict.lc.uniq.3-6 > nodict.txt (It took 18:31.75elapsed on my 1.4ghz athlon) $ wc -l nodict.txt 271773081 271773081*100/308915776 87.97643309741487595635 100-87.97643309741487595635 12.02356690258512404365 So in this very limited case (exactly 6 character passwords, containing only lowercase letters), eliminating all possibilities that contain dictionary words that are 3 characters or longer elminates 12% of the possibilities. This is interesting, but I think we all agree that passwords which are more affected by this problem (limited (alphabetic only) character sets) stand no chance against a brute force attacks to begin with. If you disagree with me, feed such a password to l0phtcrack or crack (ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/crack5.0.README). They both exist to (among other things) verify that none of your users are using dumb passwords. They also happen to be among the best tools to crack passwords. Crack is a beautiful thing. How many programs do you know of that recompile themselves on the fly to take advantage of the speed increase of defines over variables ? ..distributed across multiple crossplatform servers, simultaneously. -- http://www.ChaosReigns.com ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

References:

[PLUG] Does restricting partial words weaken passwords?
From: Dave Turner <novalis@novalis.org>

Re: [PLUG] Does restricting partial words weaken passwords?
From: gabriel rosenkoetter <gr@eclipsed.net>

Re: [PLUG] Does restricting partial words weaken passwords?
From: Darxus@chaosreigns.com

Re: [PLUG] Does restricting partial words weaken passwords?
From: Bill Jonas <bill@billjonas.com>

Prev by Date: Re: [PLUG] Does restricting partial words weaken passwords?

Next by Date: Re: [PLUG] what the hell is my computer doing?

Previous by thread: Re: [PLUG] Does restricting partial words weaken passwords?

Next by thread: [PLUG] Data Salvage

Index(es):

Date

Thread