Confocal Microscopy List

Re: Password Strength

Posted by Mario Emmenlauer on
URL: http://confocal-microscopy-list.275.s1.nabble.com/Password-Strength-tp6673797p6680122.html

*****
To join, leave or search the confocal microscopy listserv, go to:
http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
*****

> On 8/11/2011 11:29 AM, Tao Tong wrote:
>> But "correct horse battery staple" are composed of all common
dictionary
>> words, and it is not immune to dictionary attack. co01ho02ba03st04 is a
little better.
>> Better still, from a phrase like this:
>> Go ahead, make my day.
>> you get gammd from the first letters from each word, then throw in some
variations, such as gAmmD0809
>> Shoud be much better, easy to remember, hard to crack.
> If we consider a 9 character password and assume that the characters can
be one of 128 ASCII characters, we get a total of (128)^9 possible
combinations, or 9.2 x 10^18.
> If we assume that English contains 50,000 "common" words that a
> dictionary would need to contain (--I think that would be a conservative
estimate, since English has a total vocabulary of about 250,000 words
and capitalizations, proper names, etc would all need to be considered)
and limit our password to 4 words, we would get 6.3 x 10^18--i.e. almost
the same.
> My sense is that the "four-words" strategy would probably work, as long
as the resulting password were reasonably long and word order were truly
random (i.e., not "big dog bit me").

I quickly computed the same numbers, and even with a conservative guess
of 10,000 "common" words its (currently) impossible to break such a
multi-word password. :-)


>  From what others have observed, it sounds as if the real place tackle
> password security is on the server: to limit logon attempts to one every
5 seconds or so--short enough not to drive users nuts but long enough to
hamper brute-force attacks.

I don't think this is the typical problem. Many server software already
limits login attempts (i.e. check the ssh MaxStartups config parameter).
If the software itself doesn't do it, there are firewalls and other
traffic monitoring packages that can do the same thing (denyhosts,
fail2ban,
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/).

But I think the password attack discussed in the xkcd assumes that the
attacker is already in possession of the encrypted password. A remote
attack with 1000 guesses / sec on any reasonable web-service is not very
realistic. I.e. for a website, a small error message from the server
might be 1k in size, leading to 1MB/sec traffic for the attack. Its
unlikely that 1MB/sec login attempts go unnoticed, unless the Admin has
no monitoring whatsoever.

I assume that the xkcd is rather concerned about when hackers steal
encrypted passwords from 30,000,000 playstation network customers, and
those (hopefully encrypted) passwords have not been salted
(http://en.wikipedia.org/wiki/Salt_%28cryptography%29) :-)

Just my two cents,

    Mario


> Martin
> --
> Martin Wessendorf, Ph.D.                   office: (612) 626-0145 Assoc
Prof, Dept Neuroscience                 lab: (612) 624-2991 University
of Minnesota             Preferred FAX: (612) 624-8118 6-145 Jackson
Hall, 321 Church St. SE    Dept Fax: (612) 626-5009 Minneapolis, MN
55455                    e-mail: [hidden email]
Free forum by Nabble Edit this page