![]() |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Tom Metro wrote: > Entropy calculations can be very misleading, as the things that make a > password easy to remember also make it much easier to guess. Password There's a huge misdirection in that Ars article that you cite. It presumes that the attacker has the password database. Fact is, if an attacker can get the entire password database, such as with the Ubuntu Forums compromise, then it doesn't matter how strong your password is. The only limit to what an attacker can do in that situation is how much computing power he can throw at it. The only protection users have against this is not reusing passwords so that one compromised account does not lead to others. Password variety trumps password strength. In practice, such attacks are effectively useless against web sites and the like when users have reasonably strong passwords. It does not matter how much computing power you have. You can't throw precomputed hashes (rainbow tables) at a web site. And you're not going to get 1000 brute force or dictionary guesses per second against Google or Facebook. The recent Club Nintendo compromise -- which was effected with precisely this kind of attack -- was ~15 million attempts over 35 days. That's about 12 attempts per second. -- Rich P.