> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
>> On 8/11/2011 11:29 AM, Tao Tong wrote:
>>> But "correct horse battery staple" are composed of all common
> dictionary
>>> words, and it is not immune to dictionary attack. co01ho02ba03st04  
>>> is a
> little better.
>>> Better still, from a phrase like this:
>>> Go ahead, make my day.
>>> you get gammd from the first letters from each word, then throw in  
>>> some
> variations, such as gAmmD0809
>>> Shoud be much better, easy to remember, hard to crack.
>> If we consider a 9 character password and assume that the  
>> characters can
> be one of 128 ASCII characters, we get a total of (128)^9 possible
> combinations, or 9.2 x 10^18.
>> If we assume that English contains 50,000 "common" words that a
>> dictionary would need to contain (--I think that would be a  
>> conservative
> estimate, since English has a total vocabulary of about 250,000 words
> and capitalizations, proper names, etc would all need to be  
> considered)
> and limit our password to 4 words, we would get 6.3 x 10^18--i.e.  
> almost
> the same.
>> My sense is that the "four-words" strategy would probably work, as  
>> long
> as the resulting password were reasonably long and word order were  
> truly
> random (i.e., not "big dog bit me").
>
> I quickly computed the same numbers, and even with a conservative  
> guess
> of 10,000 "common" words its (currently) impossible to break such a
> multi-word password. :-)
>
>
>> From what others have observed, it sounds as if the real place tackle
>> password security is on the server: to limit logon attempts to one  
>> every
> 5 seconds or so--short enough not to drive users nuts but long  
> enough to
> hamper brute-force attacks.
>
> I don't think this is the typical problem. Many server software  
> already
> limits login attempts (i.e. check the ssh MaxStartups config  
> parameter).
> If the software itself doesn't do it, there are firewalls and other
> traffic monitoring packages that can do the same thing (denyhosts,
> fail2ban,
> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/)
> .
>
> But I think the password attack discussed in the xkcd assumes that the
> attacker is already in possession of the encrypted password. A remote
> attack with 1000 guesses / sec on any reasonable web-service is not  
> very
> realistic. I.e. for a website, a small error message from the server
> might be 1k in size, leading to 1MB/sec traffic for the attack. Its
> unlikely that 1MB/sec login attempts go unnoticed, unless the Admin  
> has
> no monitoring whatsoever.
>
> I assume that the xkcd is rather concerned about when hackers steal
> encrypted passwords from 30,000,000 playstation network customers, and
> those (hopefully encrypted) passwords have not been salted
> (http://en.wikipedia.org/wiki/Salt_%28cryptography%29) :-)
>
> Just my two cents,
>
>    Mario
>
>
>> Martin
>> --
>> Martin Wessendorf, Ph.D.                   office: (612) 626-0145  
>> Assoc
> Prof, Dept Neuroscience                 lab: (612) 624-2991 University
> of Minnesota             Preferred FAX: (612) 624-8118 6-145 Jackson
> Hall, 321 Church St. SE    Dept Fax: (612) 626-5009 Minneapolis, MN
> 55455                    e-mail: [hidden email]