[dba-Tech] Cross post - Password security

Stuart McLachlan stuart at lexacorp.com.pg
Thu Aug 11 16:08:03 CDT 2011 

Your systems guy has missed the point.   It is only easily cracked if the password rules are 
"must be  four english words" and the attacker knows that fact.  

If the rules are "use any mixture of upper and lower case, digits and special characters" then 
your private choice to concatenate several words makes it easier to remember without 
making it easier to crack.  In that situation, ManBearPig or manbearpig is just as secure as 
M*aBbbbP11.  

-- 
Stuart

On 11 Aug 2011 at 7:06, Jim Lawrence wrote:

> Here is a comment for a very good systems guy on that level and type
> of password:
> 
> "Yep. I saw that. Unfortunately, it is flawed. Reason being that the
> average person only has a small vocabulary and therefore this does not
> increase the entropy as much as suggested. In fact, a four word
> password could easily be cracked within a few days with current
> CPU/GPU technology. It's a nice idea though, which does lead to decent
> password strength if you tweak the idea a bit with something like
> putting x many underscores in front of the password and something like
> that. A bit like salting your hash function."
> 
> Jim
> 
> 
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Stuart
> McLachlan Sent: Wednesday, August 10, 2011 2:24 PM To: 'Off Topic';
> 'Discussion of Hardware and Software issues' Subject: Re: [dba-Tech]
> Cross post - Password security
> 
> Talk about co-incidence.  Today's xkcd: 
> 
> http://xkcd.com/936/
> 
> 
> 
> -- 
> Stuart
> 
> On 10 Aug 2011 at 20:57, Jon Tydda wrote:
> 
> > Hi all
> > 
> > Someon'e just posted this on my wall on facebook, and it looks
> > really interesting, thought I'd share it.
> > 
> > https://www.grc.com/haystack.htm
> > 
> > 
> > Jon
> > _______________________________________________
> > dba-Tech mailing list
> > dba-Tech at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/dba-tech
> > Website: http://www.databaseadvisors.com
> > 
> 
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>

More information about the dba-Tech mailing list