Dear Linkedin,
Joel jaeggli
joelja at bogus.com
Sun Jun 10 07:03:43 UTC 2012
On 6/8/12 16:05 , Alec Muffett wrote:
>> Does anybody have a good URL explaining that idea? It's been
>> kicking around for many years. I've never seen a convincing
>> writeup.
>
> I've tried to do that in another mail - it's in the realms of
> philosophy more than strategy; like if you're a really security-aware
> person and take great care you can probably stretch the useful life
> of a password out to _years_ - but how typical are *you* in that
> instance?
I have a slide in a presentation I give about oncea year that goes
something like:
How good does a password/phrase have to be in order to
protect against brute-force or dictionary attacks against the
password itself?
● Entropy in language.
– A typical english sentence has 1.2 bits of entropy per
character, you need 107 characters to get a statistically
random md5 hash.
– Using totally random english characters you need 28
characters.
– Using a random distribution of all 95 printable ascii
characters you need 20 characters.
● Observation, good passwords are hard to come by.
>> Does your bank request/require that you change the PIN on your ATM
>> card every few months?
>
> ATM cards are not passwords, they are a coarse form of two-factor
> authentication - You have the card, you have the PIN.
>
> You have to possess both in order to transact - at least in in
> theory.
>
> Compare that with the secrecy surrounding the CVV - the "last three
> digits on the number on the back of the card" which you are "not
> meant to tell anyone" and which _will_ be different if your card is
> lost/stolen and reissued.
>
> Now _that_ is a password.
>
>> Security is a tradeoff. I think there are two cases for passwords.
>> I'll call them important and junk. I'm willing to store the junk
>> ones in a file or piece of paper that I'm careful with. I have to
>> memorize the important ones.
>
> You know, that's not bad. I am pro-paper for long passwords. I am
> even-more pro "password safes".
>
>> I'm only smart enough to memorize a few good passwords. If I
>> change them every few months, they will be less good, or fewer of
>> them.
>
> It's harder as we get old. Use technology to aid with the heavy
> lifting. :-)
>
> -a
>
>
>
>
More information about the NANOG
mailing list