Password strength

kf4hcw kf4hcw at lifeatwarp9.com
Tue Oct 21 14:15:49 CDT 2014 

On 2014-10-21 10:39, Rob Seastrom wrote:
> People's tendency to use actual English phrases lowers the amount of
> entropy by a substantial amount.  How substantial?  Might be trillions
> or quadrillions of years worth...  which would be startling, but in
> the end, inconsequential.
Perhaps, mathematically, but for a few thousand dollars one can buy many
hundreds of cores in a handful of graphics cards, so trillions, while
sounding like a big number, isn't and getting "more isn't" every day.
For example, I just selected a video card a few months ago for video
production and went low-mid grade... just to shave off some rendering
time. I spent a few hundered dollars and got 96 cores each running at
about 1GHz. If I'd picked up a "gaming" grade video card I could easily
have easily ended up with 2048 cores (GTX980) -- divide a trillion by
2048 and it's much smaller.

Compare password cracking with bitcoin mining -- basically, trying
hashes -- an you could be looking at numbers like: 1G hashes/second...
and that's if they bother doing it in a single box with a decent video
card instead of tens of thousands of boxes in a bot-net... all depending
upon how valuable that might be-- but to the blackhatzes it's almost no
cost because they're stealing their hardware and power anyway.

Also, and more importantly, the mathematical entropy one gets when using
log2(dictionary-size) style calculations is dramatically overstated
because any phrase you can remember places fairly strict constraints on
subsequent words given a prefix, and on the likelihood of any given
phrase or word... the is precisely why auto-completion mechanisms work
when typing into your cell phone or your favorite search engine... by
the time you've put in a few letters, most of the time, the next word is
there; after a word or two the phrase you're looking for has already
been guessed. Attackers use the same techniques to order their guesses.

I'm not trying to put too fine a point on it though ... I'd much rather
have folks use a long memorable phrase than a short pw on a sticky note
on their monitor any day of the week.

That said, do this: Use a phrase that's a little off the beaten path
(not a meme) and then do something quirky with it like throwing a dot in
the middle or a number. The trick there is that even if they guess your
phrase from their short list they're not likely to guess all the quirky
things you might do to it let alone the specific quirky 9 thing you did.

_M

-- 
kf4hcw
Pete McNeil
lifeatwarp9.com/kf4hcw

More information about the Tacos mailing list