[Info-vax] password strength (Re: VMS humor)

[Craig A. Berry]

On 12/31/20 2:26 PM, Some Dude wrote:
> On Thursday, December 31, 2020 at 1:02:59 PM UTC-5, Craig A. Berry wrote:
>> On 12/31/20 12:29 AM, John Reagan wrote:
> 
>> But unless the entire phrase is in someone's password cracking
>> dictionary, the fact that portions contain well-known words doesn't
>> really make any difference, does it? If it did, delimiting with
>> non-space characters would take care of that.

> Nope.  Sophisticated attacks use dictionary tokens just the same as
> individual letters or symbols.

OK. I am not a cryptographer but since the number of words in the
dictionary is much larger than the number of letters in the alphabet,
and they would have to guess the sequence, position, capitalization, and
delimiters between tokens, and could not assume that all tokens are
valid dictionary words (especially not in the same language), would an
8-word sentence not increase the cost of a correct guess well beyond
that of a random sequence of 8 characters?

> Also most attacks against a compromised authorization file start with
> a giant database of previously-obtained password hits  under the
> theory that there might be user overlap with a previously-compromised
> account and that people are lazy.

All the more reason to have people make up their own phrase or short
sentence of nonsense that will be memorable to them but unlikely to
appear in one of these databases.