-----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be rick hoselton wrote: : : Another example: What if I selected a nonsense passphrase, : "Dagmar shaved Howard's cocker spaniel" Not great, but adequate for my needs. : If, by some wild coindence, a book by that title became a best seller, I would : change my passphrase. A cryptanalyst who knew that was my feeling could : simplify : his cracking by not bothering to search for best selling book titles. On : the other : hand, a cryptanalyst who was not so convinced of my paranoia, and who DID check : book titles, would not find my passphrase. I assume that BOTH philosophies : would be used in a serious attack. When I do the math, it says that, assuming : BOTH types of attack are done, it is better to have a passphrase that is not : the title of a book. By the same token, if an admin runs crack on /etc/passwd to weed out poor passwords isn't going to be faulted for reducing the key space for user's passwords. The question is, how much of the keyspace should be eliminated as "obviously a poor choice"? Also, how much of this falls under "security through obscurity"? If an attacker knows what you omit .. his/her job is a bit easier. Is it possible to find a percentage of the key space to eliminate that will optimize security assuming that the attacker will try the easy stuff first (and is it possible to quantify "easy stuff")? - -- Mark Rogaski | Why read when you can just sit and | Member System Admin | stare at things? | Programmers Local GTI GlobalNet | Any expressed opinions are my own | # 0xfffe wendigo@pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMXVWfQ0HmAyu61cJAQHltwP8Coe0i13a7NtFRYlCBdt1AEVEbz9jQhLp 6WPqGc80ETo8knHZAPVFP6ae1MmHYfbWhOY0y7I/Cv4kN8Smmu6mwIeYsuPRjCl9 ODK6qDUX1CcQX74t4ZvkTL2Umsnvwchvl1wHnaINGtud9C6nVREf34880vmJsYrl 5vsRJ1wo5Ng= =zY9A -----END PGP SIGNATURE-----