[talk] passwd entropy and strength
jschauma at netmeister.org
Sun Nov 5 14:04:46 EST 2017
George Rosamond <george at ceetonetechnology.com> wrote:
> So someone getting some of the passwd really just needs a "Wheel of
> Fortune" approach to determining a passwd in full.
> co__ect ho_se batte_y staple
> "Can I buy an 'r'?"
It is rather rare that an attacker would have a partial password.
Unlike so frequently portrayed in the movies, brute-force cracking
doesn't work like picking a lock -- it can't guess the first correct
character and then move on to the next one. Since the passphrase is
hashed, you always have to guess the full passphrase, and if it doesn't
match, you don't know whether or not you got some characters right.
While it's correct that with a $yourPrimaryLanguage charset passphrase
you somewhat limit the entropy of the individual characters to the
printable set, this is usually far outweighed by the length.
But this is technically true for _any_ restriction you make on a
password's complexity: if you require, say, 26 char length, and demand
that at least one must be a number, then one of the chars clearly has
less entropy than the others. But due to the above (you don't know
which one, although the first or last ones are more likely candidates),
you can't trivially reduce your number of guesses other than eliminating
any guesses that do not contain a digit.
> Going back to the passwd strength chart, how long does a passwd in
> 26-universe alphabet have to be to equal on that uses a 95-character
> ASCII universe?
> The conclusion, to me, is that getting users to use the whole ASCII
> universe of 95 characters with diversity is an achievable goal
I don't think it is. People will continue to pick poor (i.e.
predictable) passwords. Increasing the length overall is the best
strategy, as reflected in NIST's updated guidelines and across
Encouraging the use of password managers is the next best bet, but that
still faces usability and user education hurdles. Excellent for
environments where you can enforce them (e.g. corporate), but still much
too high a bar for the general public.
More information about the talk