[Discuss] deadmanish login?
Kent Borg
kentborg at borg.org
Fri Feb 3 07:38:09 EST 2017
On 02/02/2017 07:48 PM, Richard Pieri wrote:
> On 2/2/2017 5:15 PM, Kent Borg wrote:
>> It depends on where those words came from. I am not relying on some
>> trick, I am relying on raw combinations.
> A dictionary attack against "premium student viking" using a given set
> of dictionaries takes exactly the same number of tries regardless
And if the dictionary has, let's say for round numbers 2048 words, then
it takes 2048 attempts to try them all.
If I have three of those words in a row it takes 2048*2048*2048 attempts
to try them all. That's 33-bits of entropy. The fact that the 33-bits
are coded in 1s and 0s, in ACSII 1s and 0s, in hex, in base64, or in a
lookup table words doesn't change how may attempts are needed. It is all
about the number of combinations.
> regardless of how
> you selected those words.
No. If you choose words that "seem" random, if you choose words that a
cracker could anticipate, then those combinations can be tried first,
and the right combination found sooner. The cracker mught anticipate
your behavior, but if the words are chosen randomly then the attacker
has to anticipate the random number generator; has to anticipate the
roll of the dice, has to anticipate the draw of the cards, has to
anticipate the bits in urandom: in each case you want them to be
impossible to anticipate.
It is not possible to know how many bits of entropy are in a password by
looking at it, you can't tell if a password is really good by looking,
you really have to know how it was created to be sure.
-kb
More information about the Discuss
mailing list