On Sun, Nov 30, 2014, at 12:48 AM, Nick Holland wrote: > On 11/29/14 22:06, Eric Furman wrote: > > OFF TOPIC. This has nothing to do with OpenBSD, > > but a lot of guys here know about this stuff. > > I've done some reading, but still not sure. > > OK, at the risk of looking stupid,which of these passwords is better; > > kMH65?&3 > > or > > mylittlelambjumpedovertenredbarns > > there's an XKCD comic along these lines. I'm too lazy to dig it up. > > "It's complicated." > Both have eight "things". The later is drawn from a much much larger > set (words (thousands), vs. characters (not 100)). So, looks like a > simple win for the second over the first, right? > > Problem is the words "connect" to humans. "little" is more likely to be > followed by "lamb" than it is "red" (though if "red" follows "little" I > bet the next word would be "wagon"). "red" is more likely to be > followed by "barn" than "lamb". Still, there's a huge number of choices > for each "word", so I'd say the phrases still win. > > (sorta related side note: At least with names, there's some curious > clusters that are seen -- for example, a friend of mine and her two > siblings have (basically) the same names as three of Adolph Hitler's > siblings (one is a slight stretch, the other two are dead-on, which is > impressive considering the very different ethnic backgrounds). I don't > think my friend's parents would have permitted this had they known. > I've seen similar "groupings" of names in other families. (Did I just > win the award for most unexpected use of "hitler" in an internet > discussion?)) > > Simply saying "there are X words of five letters or less and there are > eight of them in my pw means there are X^8 PWs someone would have to try > to get my PW" is wrong by probably several orders of magnitude. That's > not how humans pick passwords, and if the computer does it for you, it > might be as hard or harder than if you use random characters. > > Then there is the system where it is stored. If you are working on a > stock Solaris 9 or AIX system with the default settings, only the first > eight chars are used, so the random string is much better than > "mylittle", and if you, like most people, reuse passwords or don't know > that the target system only uses the first eight characters, you can end > up using a trivial pw that you thought was really good.
Yes, part of the reason for asking this question was that I am aware that some authentication schemes only use the first 8 characters. Is there any way of knowing if they do ignore any characters after the first eight? Are authentication schemes that don't recognize more than eight characters still common? One of my banking sites won't except certain special characters. Like $, %, ? Which messes up my best short passwords that I actually remember.
