[Noisebridge-discuss] Fw: continuing adventures in the brave new world.
Will Sargent
will.sargent at gmail.com
Wed Apr 4 23:19:58 UTC 2012
On Wed, Apr 4, 2012 at 4:10 PM, Seth David Schoen <schoen at loyalty.org>wrote:
> Will Sargent writes:
>
> > I think it's just checking for some minimum entropy and using some of the
> > heuristics built into crackers like John the Ripper and l0phtcrack.
> >
> > I wouldn't put too much stock into HOW secure a password is, as computers
> > are always getting faster and even good algorithms are vulnerable to GPU
> > based crackers these days (I wrote a bit about this in
> > http://tersesystems.com/2012/02/17/failing-with-passwords). It's more
> > about showing to people that the passwords they think ARE good are
> actually
> > trivially easy to crack.
>
> But I think there's a big difference between 9 years and a nonillion
> years.
>
I agree completely.
> I think the material in your presentation/blog post is right and very
> useful, but I'm still concerned about people ending up using short
> English phrases or short sequences of very common words as their master
> passphrases/device passphrases (without key stretching). Reinhold's
> Diceware list literally includes 6⁵=7776 words and a four-word classic
> Diceware passphrase is only 51 bits of entropy. We _know how to build_
> affordable machines that can crack that in less than a week. But this
> password strength site is going to tell people that it will survive
> many years.
>
There's a point of diminishing returns for a browser based javascript
checker. I do agree the attempted precision is a bit much.
> Here, I just made a four-word classic Diceware passphrase with 51 bits
> of entropy: type curve hurty digit. But howstrongismypassword.net says
> my password will take
>
> About 297 quintillion years
>
> to crack. No way!
>
> Even for a desktop PC, that figure is off by a factor of about 1
> quintillion, if the enemy knows the system. That dwarfs any problem
> about neglecting the advance of GPUs or whatever. (A GPU or some
> custom ASICs or anything does not give a speedup factor of a
> quintillion...)
Have you considered writing to the author of the website about this? I
don't know much about diceware, but I do agree that password phrases have
their own weaknesses if they're common parlance.
Will.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20120404/c553f428/attachment-0003.html>
More information about the Noisebridge-discuss
mailing list