[Discuss] deadmanish login?

John Abreau jabr at blu.org
Fri Feb 3 08:40:53 EST 2017 

Of course, if you publish a password on a public mailing list, it then as
zero bits of entropy regardless of how it was encoded. :)


On Fri, Feb 3, 2017 at 7:38 AM, Kent Borg <kentborg at borg.org> wrote:

> On 02/02/2017 07:48 PM, Richard Pieri wrote:
>
>> On 2/2/2017 5:15 PM, Kent Borg wrote:
>>
>>> It depends on where those words came from. I am not relying on some
>>> trick, I am relying on raw combinations.
>>>
>> A dictionary attack against "premium student viking" using a given set
>> of dictionaries takes exactly the same number of tries regardless
>>
>
> And if the dictionary has, let's say for round numbers 2048 words, then it
> takes 2048 attempts to try them all.
>
> If I have three of those words in a row it takes 2048*2048*2048 attempts
> to try them all. That's 33-bits of entropy. The fact that the 33-bits are
> coded in 1s and 0s, in ACSII 1s and 0s, in hex, in base64, or in a lookup
> table words doesn't change how may attempts are needed. It is all about the
> number of combinations.
>
> regardless of how
>> you selected those words.
>>
>
> No. If you choose words that "seem" random, if you choose words that a
> cracker could anticipate, then those combinations can be tried first, and
> the right combination found sooner. The cracker mught anticipate your
> behavior, but if the words are chosen randomly then the attacker has to
> anticipate the random number generator; has to anticipate the roll of the
> dice, has to anticipate the draw of the cards, has to anticipate the bits
> in urandom: in each case you want them to be impossible to anticipate.
>
> It is not possible to know how many bits of entropy are in a password by
> looking at it, you can't tell if a password is really good by looking, you
> really have to know how it was created to be sure.
>
> -kb
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6

More information about the Discuss mailing list