From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Wed, 30 Jun 2010 07:28:19 -0400 To: 9fans@9fans.net Message-ID: In-Reply-To: References: <1449883d7baedf2bc03d0857a73b6a98@coraid.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] offered without comment or judgement Topicbox-Message-UUID: 3ae94698-ead6-11e9-9d60-3106f5b1d025 > I certainly have several nonsensical words / names for my cats. None > of them contain numbers or punctuation or anything associated with a > strong passphrase. The longest of these is probably about 12 > characters. And a system that can try a billion RSA keys per second is > going to quickly exhaust the relatively short combination of these, > even brute forcing. And you're right -- as I also alluded above, the assuming the attackers have a dictionary of only 500000 words that contains your nonsense words and assuming unicase and no spaces or other punctuation you get 18.9 bits/word. for a neat 3 word phrase, that's 56.8 bits. for a login, that's plenty since there should be some protection against password guessers. general slowness or just a slow connection should be enough to prevent 1e9 guesses/sec. > People have enough difficulty remembering short passwords. Or creating > "good" passwords in the first place. Upper bounds along with enforcing > permutations are placed to reduce peoples' likelihood of forgetting > them while still providing some level of security. It's not the best > approach, but until people start treating passwords like an ATM card > with a PIN, it's not going to matter much anyway. (Ignoring that PINs > for most cards are only have 9990 or fewer permutations.) people will learn. real computer passwords have not been common for very long. also, an atm card is a 2-factor authentication scheme. and you get 3 guesses. assuming you can steal the card your chances of success are about 3/10000. (wiki says 6/10000 due to unused numbers http://en.wikipedia.org/wiki/Pin_number#PIN_security) a better attack might be to shoulder surf and then socially engineer the bank into sending you a card. say by stealing it out of the mailbox. - erik