http://confocal-microscopy-list.275.s1.nabble.com/Password-Strength-tp6673797p6674866.html
Cool comic, and can't resist commenting ...
Speed wise 1000 attempts/sec is easily doable if (and only if - which is relatively uncommon) the site doesn't have a delay after a failed attempt (or certain number of failed attempts). The request size is only likely to be a couple of 100 bytes whereas your you'll easily be getting 10s of Mbit/s to overseas internet sites these days. Remember that there's nothing to to stop you sending the next request before the first one has returned.
Whilst the words should be random wrt each other, there is no requirement that the method is uncommon. His 11 bits per word reflects the number of words in the dictionary rather than the the information in each word (~56 bits). It thus already describes the methods strength against exactly the attack you propose. If you did somehow know the exact length of the password in advance you would probably loose another 4-5 bits, but this is unlikely.
> From: Guy Cox <
[hidden email]>
> Subject: Re: Password Strength
> To:
[hidden email]
> Received: Thursday, 11 August, 2011, 8:12 AM
> *****
> To join, leave or search the confocal microscopy listserv,
> go to:
>
http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy> *****
>
> Martin,
>
> It's probably
> right, but 1000 guesses per second would require a
> connection speed way beyond even what I get on campus to
> another on-campus computer. Even 100 per second (one
> month) seems implausible. At 10 guesses per second
> you're looking at 2½ years ... And any system that will
> allow you 268,435,456 attempts at logging in before it
> freezes you out is terminally insecure! (MS exchange
> allows 5 tries).
>
> The four random words
> thing is fine provided that (a) only very few do it and (b)
> the words truly are random. But if it catches on then
> all a cracking algorithm has to do is try every combination
> of dictionary words that add up to the password length, a
> vastly simpler task.
>
>
>
> Guy
>
>
> Optical Imaging Techniques in Cell Biology
> by Guy Cox CRC Press / Taylor & Francis
>
http://www.guycox.com/optical.htm> ______________________________________________
> Associate Professor Guy Cox, MA, DPhil(Oxon)
> Australian Centre for Microscopy & Microanalysis,
> Madsen Building F09, University of Sydney, NSW 2006
>
> Phone +61 2 9351 3176 Fax +61 2
> 9351 7682
> Mobile
> 0413 281 861
> ______________________________________________
>
http://www.guycox.net>
>
>
> -----Original Message-----
> From: Confocal Microscopy List [mailto:
[hidden email]]
> On Behalf Of Martin Wessendorf
> Sent: Thursday, 11 August 2011 5:31 AM
> To:
[hidden email]
> Subject: Password Strength
>
> *****
> To join, leave or search the confocal microscopy listserv,
> go to:
>
http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the
> confocal list,
> but here goes.
>
>
http://xkcd.com/936/>
> (As far as I know, clicking on this link will not infect
> your computer
> with a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this? Intuitively,
> it makes sense,
> but so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D.
> office: (612)
> 626-0145
> Assoc Prof, Dept Neuroscience
> lab: (612) 624-2991
> University of Minnesota
> Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE Dept
> Fax: (612) 626-5009
> Minneapolis, MN 55455
> e-mail:
[hidden email]
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1391 / Virus Database: 1520/3824 - Release
> Date: 08/09/11
>