Security Basics mailing list archives

Re: Length vs Complexity

From: Walter Goulet <wgoulet () gmail com>
Date: Thu, 16 Sep 2010 15:06:56 -0500

Any poorly chosen password can be cracked with one guess. Password
length and complexity are simply methods to create a larger pool of
valid passwords for users to choose from. Both methods also make
dictionary attacks that much more difficult (e.g. dictionary attacks
are more effective at guessing passwords made up of whole words but
would be less effective at guessing a sentence/phrase that contains
names for example; or for guessing passwords that contain random
symbols).

On Thu, Sep 16, 2010 at 2:51 PM, Not Saying <b1ackr0ut3r () gmail com> wrote:

But this is all based on probability and likely hood. Someone could crack
the password with one guess.

On Thu, Sep 16, 2010 at 2:15 PM, Walter Goulet <wgoulet () gmail com> wrote:


I would agree with your argument; longer passwords will create a
larger keyspace more rapidly than a shorter password with more
complexity rules.

The way I think about it is like this:

A 8 character password that is restricted to the 52 upper/lowercase
letters plus valid digits 0-9 is going to have a total of 62 possible
values for each position, for a total of 62^8 possible passwords (218
trillion or so). If you increase the length to just 12 characters, you
get like 62^12 or approx. 3 trillion possible password values.

If you instead permit users to say use all printable ASCII characters
(128 possible values for each position), you are just changing the
base value (128^8 or 72 quintillion or so).

So, by requiring longer passphrases you are exponentially increasing
the size of the keyspace.

On Thu, Sep 16, 2010 at 12:01 PM, Mike Razzell <m.razzell () gmail com>
wrote:

Users hear constantly that they should add complexity to their
passwords, but from the math of it doesn't length beat complexity
(assuming they don't just choose a long word)?  This is not to suggest
they should not use special characters, but simply that something like
Security.Basics.List would provide better security than D*3ft!7z.  Is
that correct?

Thanks,
-Mike

--
Sent from my mobile device

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your Apache
web server. Throughout, best practices for set-up are highlighted to help
you ensure efficient ongoing management of your encryption keys and digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Length vs Complexity Mike Razzell (Sep 16)
- Re: Length vs Complexity Ansgar Wiechers (Sep 16)
- RE: Length vs Complexity David Gillett (Sep 16)
- Re: Length vs Complexity p8x (Sep 16)
  - Re: Length vs Complexity Jeffrey Walton (Sep 20)
- Re: Length vs Complexity Walter Goulet (Sep 16)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Re: Length vs Complexity Roger (Sep 17)
- RE: Length vs Complexity Joachim Thuau (Sep 17)
  - Re: Length vs Complexity John Morrison (Sep 20)
- <Possible follow-ups>
- RE: Length vs Complexity Pankaj (Sep 16)
  - Re: Length vs Complexity Roger (Sep 16)
- RE: Length vs Complexity ron (Sep 16)