mailing list archives
Re: Passwords: length vs. complexity
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 22 Jul 2008 04:00:38 +0200
On 2008-07-21 Kurt Buff wrote:
The number of tokens available, when using old-style passwords, is on
the order of, as you pointed out earlier, 26-36, correct?
Rather 90-95 (62 alphanumeric characters plus a number of special
characters). If we're talking about strong (randomly chosen) passwords,
The number of tokens, when using larger passphrases, and counting
entire words as tokens, delimited by spaces (and not counting
punctuation or special characters or capitalisation, and choosing
English as the base language, all of which are fairly large caveats, I
believe) becomes on the order of 10,000 to 20,000 commonly used word
out of about 1,000,000 or so in the English language, or more if
including specialized vocabularies, such as names, sports terms, and
less-common technical vocabularies specific to industry or job
The Technet article  Philippe referred to mentioned numbers from 300
Even if one accepts that the keyspace will be (severely) limited by
people choosing sentences with standard syntax and grammar, and by
choosing smaller and easier-to-type words, this still seems to be a
huge win over using randomized-but-smaller passwords that are hard to
remember and hard to type.
Perhaps. As I already said in my second last mail, even passphrases
with 5-7 words taken from a 300-word dictionary may be secure enough.
They're just not as secure as the proponents of passphrases make it
If one sets a minimum passphrase size of, say 20 characters, and
enforces complexity requirements that are standard in Windows (three
of the following four: UC characters, LC characters, numbers, and
punctuation and other special characters), then the passphrases will
be essentially invulnerable to rainbow tables, and far superior to
standard passwords from an end-user standpoint because of ease of
recall and input.
Will they really? I have my doubts about it. In another article Philippe
referred to , Roger Grimes lined out some problems with conventional
| And because most users also use dictionary words as the root to their
| "complex" password, and follow other common conventions (capitalized
| letters are at the beginning, numbers are at the end)
IMHO the same users will not magically stop making the same mistakes
when being forced to use passphrases instead of passwords. They'll use
simple words in simple sentences, applying the grammar and punctuation
they learned in school. I don't have actual numbers on this, but AFAICS
that should reduce the number of possible password significantly.
As for rainbow tables, there are better ways to deal with them than
password requirements (salted hashes in particular).
Don't get me wrong, I'm by no means opposed to using passphrases, and I
agree that they probably are easier to memorize for Joe Average. I'm
just not convinced that they are a silver bullet like some people say.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq
Re: How does the Cain and Abel SAM dump works? Carlos Madrid (Jul 16)
Re: How does the Cain and Abel SAM dump works? Patrick Webster (Jul 16)
Re: Re: Fwd: How does the Cain and Abel SAM dump works? kschindel (Jul 16)
Re: Fwd: How does the Cain and Abel SAM dump works? krymson (Jul 16)
Re: Re: Fwd: How does the Cain and Abel SAM dump works? anon (Jul 18)