On 11/29/14 22:06, Eric Furman wrote: > OFF TOPIC. This has nothing to do with OpenBSD, > but a lot of guys here know about this stuff. > I've done some reading, but still not sure. > OK, at the risk of looking stupid,which of these passwords is better; > kMH65?&3 > or > mylittlelambjumpedovertenredbarns
there's an XKCD comic along these lines. I'm too lazy to dig it up. "It's complicated." Both have eight "things". The later is drawn from a much much larger set (words (thousands), vs. characters (not 100)). So, looks like a simple win for the second over the first, right? Problem is the words "connect" to humans. "little" is more likely to be followed by "lamb" than it is "red" (though if "red" follows "little" I bet the next word would be "wagon"). "red" is more likely to be followed by "barn" than "lamb". Still, there's a huge number of choices for each "word", so I'd say the phrases still win. (sorta related side note: At least with names, there's some curious clusters that are seen -- for example, a friend of mine and her two siblings have (basically) the same names as three of Adolph Hitler's siblings (one is a slight stretch, the other two are dead-on, which is impressive considering the very different ethnic backgrounds). I don't think my friend's parents would have permitted this had they known. I've seen similar "groupings" of names in other families. (Did I just win the award for most unexpected use of "hitler" in an internet discussion?)) Simply saying "there are X words of five letters or less and there are eight of them in my pw means there are X^8 PWs someone would have to try to get my PW" is wrong by probably several orders of magnitude. That's not how humans pick passwords, and if the computer does it for you, it might be as hard or harder than if you use random characters. Then there is the system where it is stored. If you are working on a stock Solaris 9 or AIX system with the default settings, only the first eight chars are used, so the random string is much better than "mylittle", and if you, like most people, reuse passwords or don't know that the target system only uses the first eight characters, you can end up using a trivial pw that you thought was really good. If the back-end storage "gives away" the length of the pw in any way and you see the pw is 33 chars long, you can probably bet it isn't going to be random characters, so you would probably set your PW guesser to use dictionary words rather than random characters, reducing the advantage. Which is easier to remember for real people? Which is easier to type? No contest -- and for that reason, I'd say the overall benefit is with the string of eight words over the string of eight random characters. But... Realistically, most attacks seem to be based on breaking TRIVIAL passwords, social engineering, or use software flaws that permit access to things that allow access to things that allow access to things ...so either is probably "more than sufficient" to make sure that a password guess of either of those accounts was NOT the reason for a security breach. Kinda like escaping from a hungry lion...you don't need to outrun the lion, you just need to outrun your friend. You don't need an unbreakable password, you just need one better than management uses, and you can't be able to be blamed for the breach. Anything more than that is probably wasted effort. If there is a breach that permits the download of the hashed PW file, both may be similarly prone to off-line brute-forcing. Sounds cynical, but really, if you are arguing over which is the "better" password, you are wasting time that should be spent looking for more likely security problems. That kinda brings it back to OpenBSD for you. :) Nick.
