Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 18:52:44 +0200
From: Patrick Proniewski <patpro@...pro.net>
To: passwords@...ts.openwall.com
Subject: Re: Section 3.4 of "A Canonical Password Strength Measure"

On 08 avr. 2016, at 00:10, e@...tmx.net wrote:

> This section has created most of the buzz.
> It is not the main point of the article, it is merely an example application. ...in the following sense:
> 
> you had a feeling that a really long password (such a valid English sentence) would do the job -- i understand this sentiment, but without a clearly defined password strength measure we can not argue about it at all -- with the proposed measure you can actually claim that the strength of a passphrase is guaranteed to be higher than the mainstream "strong" passwords recommended by popular creation policies.
> 
> or you can show me that this statement is wrong.


I do agree with you that "J'aime marcher nu dans la forĂȘt !" is a better password than "p4ssw0rd1984", but I think it's not a good advice today to tell users to use proper spelling, and proper grammar when they choose a passphrase.
Correct English (or French, or other) looks like a restrictive password policy to me: it adds some/many predictability to the result. I don't know much about Shannon's Entropy, and not much either in math/stats, but it's quite clear that the structure of correct language makes entropy plummet.
In fact, I'm pretty confident password attackers will create, in a near future, efficient attacks against common english passphrase (maybe some statistically enhanced PRINCE attack, as starting point).

Nevertheless, pass phrases are good and way better than passwords.

patpro

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.