CDR: Re: Is kerberos broken?
At 12:00 PM 8/31/00 -0400, Joseph Ashwood wrote:
No but I feel free to type a hundred or so, but that's beside the point. The claim made was that anything a human can remember, a computer can brute force, this was simply one very clear example that it simply was not true, as I rather thoroughly established.
Anything large that a human can remember has enough structure so that you don't need brute force, you use a dictionary-based attack.
A human can easily remember 26 random letters from a 32 character alphabet with a little mnemonic method (eg map each character to a word so that it makes up some sort of dumb story). 5*26==130 which is more bits than computers can currently exhaust over.
On Sat, 2 Sep 2000, BENHAM TIMOTHY JAMES wrote:
A human can easily remember 26 random letters from a 32 character alphabet with a little mnemonic method (eg map each character to a word so that it makes up some sort of dumb story). 5*26==130 which is more bits than computers can currently exhaust over.
True, especially if you salt with a suitably long random number and combine the two with a sufficiently nasty serial computation. Most of this thread does not, despite the strong wordings, actually concentrate on what average people *can* do but what they are likely to do when they do not have any real reason/incentive to guard their privacy. Sampo Syreeni <decoy@iki.fi>, aka decoy, student/math/Helsinki university
On Sat, 2 Sep 2000, BENHAM TIMOTHY JAMES wrote:
A human can easily remember 26 random letters from a 32 character alphabet with a little mnemonic method (eg map each character to a word so that it makes up some sort of dumb story). 5*26==130 which is more bits than computers can currently exhaust over.
True, especially if you salt with a suitably long random number and combine the two with a sufficiently nasty serial computation.
Most of this thread does not, despite the strong wordings, actually concentrate on what average people *can* do but what they are likely to do when they do not have any real reason/incentive to guard their privacy.
Sure, probably 70% or more of real apss phrases are crackable, but that's not strictly the fault of the software. It doesn't really matter either, if they &really& have no "reason/incentive to guard their privacy". Tim
participants (2)
-
BENHAM TIMOTHY JAMES -
Sampo A Syreeni