On Wednesday, April 03, 2013 18:47:17 Cristian Tibirna wrote: > On Wednesday 03 April 2013 22:39:47 Rolf Eike Beer wrote: > > Hi all, > > http://xkcd.com/936/
In fairness, common dictionary words (no matter how long) have less entropy than you would get just from adding the letters. Each word can simply be considered a letter in a larger alphabet. E.g. a 4-word "long" password from within the 500 most common words is one of only 6.25e10 possibilities. So I'd use dictionary words as a supplement to other means, not by itself. The authors of JohnTheRipper surely read XKCD just as we do. :) > > so a password > > containing only lowercase characters and numbers needs to be much longer > > than one also containing specials and uppercase characters. > > Really, this whole "can be short because has mixed types of characters" > nonsense has to die. > > There is a math theory behind password strength. There might even be > libraries capable of measuring this properly. Completely agreed. If anything it seems that even the idea of "password entropy" might not apply to any passwords that a human generates [1]. In such a scenario it may be best to simply correlate "password strength" loosely with "password length". [1] http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metrics.html Regards, - Michael Pyne
signature.asc
Description: This is a digitally signed message part.
