[Info-vax] password strength (Re: VMS humor)
Arne Vajhøj
arne at vajhoej.dk
Sat Jan 2 19:52:39 EST 2021
On 1/1/2021 10:33 AM, Craig A. Berry wrote:
> On 12/31/20 2:26 PM, Some Dude wrote:
>> On Thursday, December 31, 2020 at 1:02:59 PM UTC-5, Craig A. Berry wrote:
>>> On 12/31/20 12:29 AM, John Reagan wrote:
>>
>>> But unless the entire phrase is in someone's password cracking
>>> dictionary, the fact that portions contain well-known words doesn't
>>> really make any difference, does it? If it did, delimiting with
>>> non-space characters would take care of that.
>
>> Nope. Sophisticated attacks use dictionary tokens just the same as
>> individual letters or symbols.
>
> OK. I am not a cryptographer but since the number of words in the
> dictionary is much larger than the number of letters in the alphabet,
> and they would have to guess the sequence, position, capitalization, and
> delimiters between tokens, and could not assume that all tokens are
> valid dictionary words (especially not in the same language), would an
> 8-word sentence not increase the cost of a correct guess well beyond
> that of a random sequence of 8 characters?
Yes. 8 English words is better than 8 random characters.
But 8 random characters is way better than English words with 8 characters.
If one assume that real range is 7 bit in random characters and 2 bits
in English words characters, then a sequence of English words should
be 3.5 times as long as random characters to provide equivalent
security.
I very much prefer the English words approach, but it has to be
a pretty long sentence.
Arne
More information about the Info-vax
mailing list