[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time)
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Tue, 28 Mar 2006 14:41:10 -0500

Well, but in the example passphrase you chose above (and adding 4 for and5 for s), there are 20 potentially leet chars. To specify each one as beingeither normal or leetified would add 20 bits of entropy. If you assume thebiggest threat against a complex passphrase like that is an advanceddictionary-based attack (combining multiple words and then testingleet-ified and number pre/post-fixed variations), then we just multipliedthe cost of bruting it by 2^20. I reckon that's a worthwhile multiplier!

Most password crackers (notably L0pht) can do "common charactersubstituion" tests in conjunction with a wordlist -- thus, 'l33t1fy1ng'your passwords is a pretty poor defense.


Michael Holstein CISSP GCIA
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:

Prev by Date: Re: [Full-disclosure] Industry calls on Microsoft to scrap PatchTuesday for Critical flaws
Next by Date: Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
Previous by thread: [Full-disclosure] Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time)
Next by thread: [Full-disclosure] [ GLSA 200603-24 ] RealPlayer: Buffer overflow vulnerability
Index(es):
- Date
- Thread