Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] deadmanish login?

On 02/02/2017 07:48 PM, Richard Pieri wrote:
> On 2/2/2017 5:15 PM, Kent Borg wrote:
>> It depends on where those words came from. I am not relying on some
>> trick, I am relying on raw combinations.
> A dictionary attack against "premium student viking" using a given set
> of dictionaries takes exactly the same number of tries regardless

And if the dictionary has, let's say for round numbers 2048 words, then 
it takes 2048 attempts to try them all.

If I have three of those words in a row it takes 2048*2048*2048 attempts 
to try them all. That's 33-bits of entropy. The fact that the 33-bits 
are coded in 1s and 0s, in ACSII 1s and 0s, in hex, in base64, or in a 
lookup table words doesn't change how may attempts are needed. It is all 
about the number of combinations.

> regardless of how
> you selected those words.

No. If you choose words that "seem" random, if you choose words that a 
cracker could anticipate, then those combinations can be tried first, 
and the right combination found sooner. The cracker mught anticipate 
your behavior, but if the words are chosen randomly then the attacker 
has to anticipate the random number generator; has to anticipate the 
roll of the dice, has to anticipate the draw of the cards, has to 
anticipate the bits in urandom: in each case you want them to be 
impossible to anticipate.

It is not possible to know how many bits of entropy are in a password by 
looking at it, you can't tell if a password is really good by looking, 
you really have to know how it was created to be sure.


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /