Posted by
Martin Wessendorf-2 on
URL: http://confocal-microscopy-list.275.s1.nabble.com/Password-Strength-tp6673797p6677287.html
*****
To join, leave or search the confocal microscopy listserv, go to:
http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy*****
On 8/11/2011 11:29 AM, Tao Tong wrote:
> But "correct horse battery staple" are composed of all common dictionary
> words, and it is not immune to dictionary attack. co01ho02ba03st04 is a
> little better.
>
> Better still, from a phrase like this:
>
> Go ahead, make my day.
>
> you get gammd from the first letters from each word, then throw in some
> variations, such as gAmmD0809
>
> Shoud be much better, easy to remember, hard to crack.
If we consider a 9 character password and assume that the characters can
be one of 128 ASCII characters, we get a total of (128)^9 possible
combinations, or 9.2 x 10^18.
If we assume that English contains 50,000 "common" words that a
dictionary would need to contain (--I think that would be a conservative
estimate, since English has a total vocabulary of about 250,000 words
and capitalizations, proper names, etc would all need to be considered)
and limit our password to 4 words, we would get 6.3 x 10^18--i.e. almost
the same.
My sense is that the "four-words" strategy would probably work, as long
as the resulting password were reasonably long and word order were truly
random (i.e., not "big dog bit me").
From what others have observed, it sounds as if the real place tackle
password security is on the server: to limit logon attempts to one every
5 seconds or so--short enough not to drive users nuts but long enough to
hamper brute-force attacks.
Martin
--
Martin Wessendorf, Ph.D. office: (612) 626-0145
Assoc Prof, Dept Neuroscience lab: (612) 624-2991
University of Minnesota Preferred FAX: (612) 624-8118
6-145 Jackson Hall, 321 Church St. SE Dept Fax: (612) 626-5009
Minneapolis, MN 55455 e-mail:
[hidden email]