It all comes down to the attacker's password-guessing heuristics... if
I were writing a brute force calculator, combinations of dictionary
words and l33tified dictionary words, with and without whitespace,
caps, camelcase, punctuation, leading and trailing numerals, etc.,
would be right up at the top. With the knowledge that the environment
under attack enforced complex passwords, I'd not even try the
non-complex set.
I once wrote a password filter that, in addition to ensuring the user
wasn't using parts of his name in the password, tested against a long,
predefined list of "complex" yet common passwords ("Football!" and the
like). It rejected many, many password change attempts.
--Steve
On Thu, Mar 15, 2012 at 10:56 AM, David Lum <david....@nwea.org> wrote:
> Also, does adding punctuation increase the difficulty to crack? As in
> Long passwords are stupid!
>
> 26 characters, uppercase, lower case and special character. Is that tougher
> to crack than "correct horse battery staple"? Also it seems common to replace
> an "o" with a zero, is it common enough to negate that advantage, or is L0ng
> passwords are stupid!" even tougher to crack than without the zero in it?
>
> Dave
>
> -----Original Message-----
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Thursday, March 15, 2012 7:13 AM
> To: NT System Admin Issues
> Subject: Worth some consideration...
>
> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars
>
> By Dan Goodin
> Ars Technica
> March 14, 2012
>
> Passwords that contain multiple words aren't as resistant as some researchers
> expected to certain types of cracking attacks, mainly because users
> frequently pick phrases that occur regularly in everyday speech, a recently
> published paper concludes.
>
> Security managers have long regarded passphrases as an easy-to-remember way
> to pack dozens of characters into the string that must be entered to access
> online accounts or to unlock private encryption keys. The more characters,
> the thinking goes, the harder it is for attackers to guess or otherwise crack
> the code, since there are orders of magnitude more possible combinations.
>
> But a pair of computer scientists from Cambridge University has found that a
> significant percentage of passphrases used in a real-world scenario were easy
> to guess. Using a dictionary containing 20,656 phrases of movie titles,
> sports team names, and other proper nouns, they were able to find about 8,000
> passphrases chosen by users of Amazon's now-defunct PayPhrase system. That's
> an estimated 1.13 percent of the available accounts. The promise of
> passphrases'
> increased entropy, it seems, was undone by many users' tendency to pick
> phrases that are staples of the everyday lexicon.
>
> "Our results suggest that users aren't able to choose phrases made of
> completely random words, but are influenced by the probability of a phrase
> occurring in natural language," researchers Joseph Bonneau and Ekaterina
> Shutova wrote in the paper (PDF), which is titled "Linguistic properties of
> multi-word passphrases." "Examining the surprisingly weak distribution of
> phrases in natural language, we can conclude that even 4-word phrases
> probably provide less than 30 bits of security which is insufficient against
> offline attack," the paper says.
>
> [...]
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
