On 04/17/2011 06:58 PM, Robert J. Hansen wrote: >> Summary: A 3-word password (e.g., "quick brown fox") is secure against >> cracking attempts for 2,537 years. > > I am giving a great big yuk to his methodology. There's no reference to the > entropy of text, for instance. His example of a three common word password, > "this is fun," amounts to a total of 11 letters: this will be around 22 bits > of entropy, or 4 million combinations. @ 100 attempts per second, that > requires 40,000 seconds, or about 11 hours. He claims it'll take 2,357 > years. Let's just say I'm skeptical. > > Also, look at his claims for a six-character "common word." Okay, so this > has at most 10 bits of entropy or so: any more and it wouldn't be common. 10 > bits of entropy equals 1000 possibilities, @ 100 per second equals ten > seconds to break it -- not the 3 minutes he claims. > > His math doesn't work. I call shenanigans on the entire thing. >
I think it's worth noting that the low entropy of english (you quoted 2.5 bits per char in another thread) isn't just an academic issue. Real password crackers actually do employ multiple strategies and passes in order of complexity. For example, starting with dictionary, then dictionary w/leetspeak, eventually brute force, etc. My other big gripe with this article is that it completely ignores the possibility of an offline attack against the hashes. It's assuming that the limiting factor is the number of times you can access a webpage. I've been goofing around with BitCoin this weekend, and my MacBook Pro is generating about 2 Million SHA256 hashes a second. -- -Grant "Look around! Can you construct some sort of rudimentary lathe?"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
