|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Does restricting partial words weaken passwords?
|
gabriel rosenkoetter wrote:
> It's worth noting that password checkers commonly thought to be
> useful (like the one that ships with npasswd) do check for pieces of
> password that match up with words in /usr/dict/words, though not
> chunks as you describe to the best of my knowledge, but also look
> for things that are basically words with one (or more) character(s)
> wrong, things that are words through standard B1FF-speak
> substitution, and a variety of other heuristics (go read the source).
Someone reported having a password checker reject a password on the basis of
"partial word match".
> What math did you use to decide on this? Because if you're just
> seeing how many times a given three letter phrase *could* show up
> within eight characters, you're definitely missing the larger
> picture.
See below. But you have it backwards - I am calculating the percentage of
n-character passwords which will contain fragments of length m. That is, how
much your keyspace (nontechnically) is reduced.
>> Word count of dictionary: 263,533 words.
> I presume this is Linux's /usr/dict/words? You might be interested
> to know that Solaris's is only 25143 words...
It's Debian GNU/Linux's, yeah. Probably different distros have different
dictionaries.
gabriel rosenkoetter wrote:
>
> On Thu, Nov 29, 2001 at 03:28:17PM -0500, Darxus@chaosreigns.com wrote:
> > At the picnic it was suggested that disallowing passwords which contained
> > dictionary words would reduce the strength of the password, by reducing the
> > number of possible passwords. The question was, how effective would a
> > reverse dictionary attack be ?
>
> That's an interesting theory. I don't agree with the math that was
> in Dave's post, though. Did it include numerals? Shifted numerals?
> Count upper- and lower-case letters as the same or different? What
> about control characters, some of which are A-OK in a password, and
> which I frequently use? To do this right, you really have to base your
> search space not on natural language but on ASCII codes, removing
> the ones that are not useable, like ^M, ^J, ^C, ^[, ^H, ^V, and
> anything it's not possible to issue with a keystroke (0x00 through
> 0x06, if memory serves), but including everything you can get with
> the meta-key and so forth (that is, everything upwards of 0x7F; note
> that that more than doubles your character search space). Yes, I
> really do use these characters in passwords and -phrases. Routinely.
But you don't have to deal with a wide range of systems, some of which don't
allow these. I chose to deal with only lowercase letters. Adding uppercase
letters would make no difference, since you could also mix up the case of the
dictionary.
Darxus wrote:
>> Chance of password of n characters containing part of a dictionary word:
>> 3 = 42.75%
>
>I'd love to see your calculations.
Thise isn't the actual code I used, but it's close. I ended up doing the
final calculation in calc at home, so it's right, even if this isn't.
my $sectlen = 3;
while (<>) {
chomp;
next if length ($_) < $sectlen;
for (my $i = 0; $i < length ($_) - ($sectlen); $i ++) {
my $sect = lc substr ($_, $i, $sectlen);
$frags {$sect} ++;
}
if ((++$j % 10000) == 0) {
print scalar keys %frags;
print "\n";
}
}
my $frags = (scalar keys %frags);
print "Fragments: " . $frags . "\n";
for (3..8) {
print "Chances of bad password of $_ characters being chosen: " .
(100 - 100 * (1 - $frags / 26 ** $sectlen) ** ($_ - $sectlen + 1)) .
"\n";
}
--
-[Dave Turner Stalk me: (215)-545-2859]
------------------------------------------------------------------------
*** Error: The method "java.lang.Object newInstance();" can throw the
checked exception "java/lang/IllegalAccessException", but its invocation
is neither enclosed in a try statement that can catch that exception
nor in the body of a method or constructor that "throws" that exception.
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|