On 4/22/11 10:04 AM, Nicholas Cole wrote: > What I meant was rather this: there are several strategies that > produce good passwords. Teaching them requires (at some employers) a > 30 minute course or the reading of a web page. However, forcing any > *particular* strategy onto users will dramatically reduce the time it > takes to guess a password, since knowing the strategy reduces the > number of possibilities dramatically.
Let's have a thought experiment: your particular situation is such that you want attackers to face at least a 9-bit keyspace, but you also want to disqualify easy, commonly-used keys. Answer: tell users their passwords must be any number between 0 and 999 inclusive, except that it can't be in the range 0-9, or be any two- or three-character repeating password (no 11, no 222, no 33, but 331 is fine). This is meant to keep people from choosing weak passwords. This has the net effect of striking 10 (0-9) + 9 (11+22+33... etc.: note that 00 is already struck under the "no 0-9" rule) + 9 (111+222+333... etc.) = 28 possibilities. You've reduced the original 9.97-bit keyspace to 9.92 bits, which still exceeds your requirements. At the same time, you're preventing users from choosing trivially weak and easily guessable passwords. Your observation is correct only if excluding certain passphrases causes the entropy of the keyspace to drop below your requirements. Otherwise, there's no problem with strategy enforcement. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
