-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While dictionary attacks are very useful, the ease of remembering a
passphrase makes up for the difference (IMHO). For example, take the
following passphrase (which I don't use anywhere):
Once upon a mid-night dreary while I pondered, "What's a door?"
Perfectly correct English and very easy to remember (especially if you
ever read the Mad spoof of "The Raven"). It also is 63 characters
long, mixed case, with symbols, and doesn't exist as a string in any
published text. Is it really that vulnerable to dictionary attacks?
I can't remember highly complex passwords of more than about 8 to 12
characters. Once I get too many of them, I need to start writing them
down unless I make them easy to remember, and with only 8 char. to
work with (as many of my passwords are restricticted in length) it is
very hard not to compromise the complexity while being easy to
remember. On the other hand, I easily remember several different
passphrases of lengths ranging from 20 to (now) 63 and though there is
one that I haven't used in about a year, it is still fresh in my mind.
This reduces the problems of recording passwords in insecure
locations or needed passwords reset.
Greg
On 17 Jul 2006 19:55:09 -0000, eric.baechle@dhs.gov
<eric.baechle@dhs.gov> wrote:
Winshel;
Actually, a passphrase is not as secure as a random password. As you probably have heard, "Don't use dictionary words" over
and over again. Even compound dictionary words are bad, ie: "firedogdalmation". Compounding dictionary words with spaces,
punctuation, and even gramatically correct modifiers in between is really no different than without. It's a very simple substitution to
try; "firedogdalmation" and then try "fire dog dalmation", "Fire Dog Dalmation", "Dalmation the Fire
Dog", etc.
Using compound dictionary words could come back to bite you very quickly,
even when used in long phrases.
Sincerely,
Eric Baechle, CISSP/ISSEP, etc.
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security
---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:
http://www.sensepost.com/training.html
---------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.11.9
iD8DBQFEvA7G5KDU23nQpRcRAibeAKDLSAujGr6/sPQb3xNObyz69QIVWwCfTk1c
N8T2LEwVcx4d+MWvaLau6tg=
=uL83
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:
http://www.sensepost.com/training.html
---------------------------------------------------------------------------
