[Noisebridge-discuss] Fw: continuing adventures in the brave new world.

Will Sargent will.sargent at gmail.com
Wed Apr 4 23:19:58 UTC 2012

On Wed, Apr 4, 2012 at 4:10 PM, Seth David Schoen <schoen at loyalty.org>wrote:

> Will Sargent writes:
> > I think it's just checking for some minimum entropy and using some of the
> > heuristics built into crackers like John the Ripper and l0phtcrack.
> >
> > I wouldn't put too much stock into HOW secure a password is, as computers
> > are always getting faster and even good algorithms are vulnerable to GPU
> > based crackers these days (I wrote a bit about this in
> > http://tersesystems.com/2012/02/17/failing-with-passwords).  It's more
> > about showing to people that the passwords they think ARE good are
> actually
> > trivially easy to crack.
> But I think there's a big difference between 9 years and a nonillion
> years.

I agree completely.

> I think the material in your presentation/blog post is right and very
> useful, but I'm still concerned about people ending up using short
> English phrases or short sequences of very common words as their master
> passphrases/device passphrases (without key stretching).  Reinhold's
> Diceware list literally includes 6⁵=7776 words and a four-word classic
> Diceware passphrase is only 51 bits of entropy.  We _know how to build_
> affordable machines that can crack that in less than a week.  But this
> password strength site is going to tell people that it will survive
> many years.

There's a point of diminishing returns for a browser based javascript
checker.  I do agree the attempted precision is a bit much.

> Here, I just made a four-word classic Diceware passphrase with 51 bits
> of entropy: type curve hurty digit.  But howstrongismypassword.net says
> my password will take
> About 297 quintillion years
> to crack.  No way!
> Even for a desktop PC, that figure is off by a factor of about 1
> quintillion, if the enemy knows the system.  That dwarfs any problem
> about neglecting the advance of GPUs or whatever.  (A GPU or some
> custom ASICs or anything does not give a speedup factor of a
> quintillion...)

Have you considered writing to the author of the website about this?  I
don't know much about diceware, but I do agree that password phrases have
their own weaknesses if they're common parlance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120404/c553f428/attachment.html>

More information about the Noisebridge-discuss mailing list