[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] deadmanish login?
- Subject: [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- Date: Sat, 4 Feb 2017 21:19:43 -0500
- In-reply-to: <gmSeg95lRrqD1BiAnonSofQI4-s-SX_4SDY7asObPKfjUSP7-qdxjTD9LgybioJRHcZkBKuOnpV5pYVDSYeFY3KSMRCNbv4x8ZmNfRaUV-Qemail@example.com>
- References: <BD3AEAF8-C3A9-425E-A1DF-313491C25856@horne.net> <firstname.lastname@example.org> <gmSeg95lRrqD1BiAnonSofQI4-s-SX_4SDY7asObPKfjUSP7-qdxjTD9LgybioJRHcZkBKuOnpV5pYVDSYeFY3KSMRCNbv4x8ZmNfRaUV-Qemail@example.com>
On 02/04/2017 06:06 PM, Eric Chadbourne wrote: > Entropy calc here and other neat stuff. > > https://gchq.github.io/CyberChef/ Entropy calculators mostly don't know. It doesn't matter how a password scores according to some elegant information theory, what matters is how easy that password is for someone to guess. And though password guessing has progressed mightily in the last few years, it is still an expensive and subtle activity, well beyond what some little piece of open source software is up to instantly measuring. To be efficient password cracking needs to prioritize and check more likely passwords first. It matters greatly whether the password was dreamed up by an English speaker (check "password" first, concentrate on ASCII space after that) vs. dreamed up by an Arabic speaker (check "????????" first, concentrate on Arabic character set after that). It matters whether it was dreamed up by a colourful Brit vs. a colorless Yank. It matters whether it was dreamed up by a sports fan vs. an opera fan. It matters how old the person was who dreamed it up. Et cetera. If the NSA tries to break some encryption key of yours they will take what they know about you (a lot) and dump that into their cracking. Names and places and birthdays, books you have read, schools you have attended, pets you have had, cars you have driven, languages you might speak, etc., will all inform how they prioritize the search. (How do I know? Because they are at least that smart. If they aren't that smart they should offer me a job, it would be fun to turn them down.) I Googled up an online entropy checker and asked it what it thinks of "May the Force be with you!", and it was impressed. I tried "The quick brown fox jumps over the lazy dog." and it was even more impressed. Complete foolishness! The only way to really know the minimum entropy of a password is to know how much entropy went into its creation, and a password calculator doesn't know how you created it. Oh, and the online entropy calculator I found thinks a password is a password is a password. But they are not! A password that is complete overkill for your Twitter account (something rate limited) can still be worthless for encrypting data (something not rate limited). Reporting "entropy" (aren't we all fancy) yet ignoring that distinction is stupid. Entropy calculators mostly don't know. -kb
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?