Full Disclosure mailing list archives
Re: Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time)
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Tue, 28 Mar 2006 14:41:10 -0500
Well, but in the example passphrase you chose above (and adding 4 for and 5 for s), there are 20 potentially leet chars. To specify each one as being either normal or leetified would add 20 bits of entropy. If you assume the biggest threat against a complex passphrase like that is an advanced dictionary-based attack (combining multiple words and then testing leet-ified and number pre/post-fixed variations), then we just multiplied the cost of bruting it by 2^20. I reckon that's a worthwhile multiplier!
Most password crackers (notably L0pht) can do "common character substituion" tests in conjunction with a wordlist -- thus, 'l33t1fy1ng' your passwords is a pretty poor defense.
Michael Holstein CISSP GCIA Cleveland State University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) coderman (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) James Longstreet (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)
- Re: guidelines for good password policyand maintenance / user centric identity with single passwords(or a small number at most over time) <...> (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Gareth Davies (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Valdis . Kletnieks (Mar 26)
- Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time) Dave Korn (Mar 28)
- Re: Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time) Michael Holstein (Mar 28)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) James Longstreet (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)
