CDR: Re: Is kerberos broken?
On Fri, 1 Sep 2000, Steven Furlong wrote:
I used to work for a full-text indexing company. (So I can argue from a position of authority, and you can't dispute anything I say. ;-) ) The problem of indexing and matching text is not a hard problem in the mathematical sense, but it quickly becomes computationally gruesome.
I know, I know. No essential difference between text and pure binary data except a more limited alphabet and even lower mean entropy per symbol sent.
For myself, I often use as pass phrases memorized phrases from literature. Which ones? Well, I read four languages, and I do the number/letter and symbol/letter substitutions, so I feel secure even revealing that clue.
Good for you. Most people never go to even that much trouble. But I still think that dictionary searches on, say, all consequtive subsequences of 6-200 characters in the top 100 most likely to have been read books of a given adversary, with common variations (suppression of punctuation, all upper and lower case, adjunction of numbers below from 0-999 in the beginning and end of the phrase, all caps with first capital and vice versa, for the phrase and all words etc.) does not get too hard too fast, especially if we have statistics of people's habits which allow us to work the more likely candidates (like all lower case with little extra changes) first. And it *is* likely to work for the majority of adversaries. I also conceed to your point: serious crypto buffs like most people on this list would probably have little to fear from such attacks... Sampo Syreeni <decoy@iki.fi>, aka decoy, student/math/Helsinki university
Sampo A Syreeni wrote:
For myself, I often use as pass phrases memorized phrases from literature. Which ones? Well, I read four languages, and I do the number/letter and symbol/letter substitutions, so I feel secure even revealing that clue.
Good for you. Most people never go to even that much trouble. But I still think that dictionary searches on, say, all consequtive subsequences of 6-200 characters in the top 100 most likely to have been read books of a
I tend to just string up lots of characters, so my passphrases look like this: ^#.;Odfi9@7f$}'~%42w0,m:Qe_|33+\ and so on. How do you memorize this? You break it up in chunks, memorize each chunk, then link them together. And then you type it in a lot of times the first few days you use it. It's not that hard. If you don't use it on a daily basis, the danger is in forgetting it. Yep, most people would have a coronary before accepting the above as a passphrase. Fuck'em. They deserve the security they're willing to provide themselves. Passphrases from books are nice, but if they're all text, they're a hell of a lot easier to brute than the above. Especially if you have the texts in electronic form. -- ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ \|/ :aren't security. A |share them, you don't hang them on your/\|/\ <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ /|\ :masked killer, but |don't email them, or put them on a web \|/ + v + :will violate privacy|site, and you must change them very often. --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------
Marcel Popescu wrote:
X-Loop: openpgp.net From: "sunder" <sunder@sunder.net>
I tend to just string up lots of characters, so my passphrases look like this:
^#.;Odfi9@7f$}'~%42w0,m:Qe_|33+\ and so on.
Why the heck would you need a password this big? There are 94 printable characters (0x33 .. 0x7E); a random password 32 chars long (like the above) will thus have ~ 1.38 x 10^63 possibilities, meaning 210 bits of entropy (10^63 = O(2^210)). What, do you intend to use your password as a public key?
A password made of the same character set, but only 8 chars long, will provide 94^8 ~= 6 x 10^15 = O(2^50) combinations. I'd say that's plenty - remember, it's a password, not a key.
I use things like the above as passphrases, not passwords, to things like PGP or the encrypted disk partitions I use. Hence you need lots of entropy. -- ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ \|/ :aren't security. A |share them, you don't hang them on your/\|/\ <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ /|\ :masked killer, but |don't email them, or put them on a web \|/ + v + :will violate privacy|site, and you must change them very often. --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------
participants (3)
-
Marcel Popescu -
Sampo A Syreeni -
sunder