> From: Alan McKinnon [mailto:alan.mckin...@gmail.com] > Sent: Wednesday, January 11, 2012 7:31 PM > To: gentoo-user@lists.gentoo.org > Subject: Re: [gentoo-user] Resetting the root passwd > > On Wed, 11 Jan 2012 18:09:40 -0500 > "Mike Edenfield" <kut...@kutulu.org> wrote: > > > > I agree. Longer pass{words,phrases} only increases the difficulty of > > > the problem, but not significantly so. > > > > After I read the aforementioned xkcd comic, my main question was how > > he defined the various bits of entropy for each "thing" done to a > > password. That seemed to be a crucial determining factor in why the > > "common words" password appeared so much harder than the "goofy > > gibberish" one. Some seemed more obvious to me than others. > > > > I'm also curious, using the latest modern password-cracking > > techniques, if his assessment really is accurate. As in, which of the > > following two passwords would take longer to crack: > > > > #purpl3.R$!n# > > > > dovesymbolcarprince > I noticed something about your first sample password, and it reveals a lot, I > hinted at it in my reply to Dale. Look at the pattern one must type to enter > that password (assuming a qwerty keyboard): > > A symbol, a partial word, then 7 nonsense symbols. The pattern of those > symbols is highly significant - composed entirely of keystrokes in the upper > left area and lower right area of the keyboard with a few Shifts thrown in for > good measure. Almost as if you dropped both hands on the keyboard and > wiggled your fingers without moving the entire hand much.
Actually, it's just the words "purple RAIN" with e/a/I replaced with 3/4/1; I chose l33t-sp33k since I figured it was so over-used for password generation that everyone would recognize it immediately :) But yes, I think Randall's point is much the same as yours: once the cracker tools "figure out" this pattern of character replacements it becomes significantly less secure. I'm just curious if there are any real metrics as to "how much less secure" that is... (Clearly my pop culture reference was too obscure, or you'd also have picked up on the connection between the four random words. :) ) --K
