Date: Sat, 9 Apr 2016 15:29:36 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Re: Passphrases: syntax vs entropy On 04/09/2016 12:23 PM, Patrick Proniewski wrote: > On 09 avr. 2016, at 10:36, e@...tmx.net wrote: > >>> I trust you on the math here, but I'm skeptical about your hypothesis. >>> You take into account the full Oxford English Dictionary, >>> [but] a "real" dictionary is probably 3000 to 10000 words long. >>> >>> You state that W^8/7294 [...] is significantly greater than W^7, >>> but that's true only for W > 7294. >>> For most users, W might be lower than 7294 >> >> You forgot the premise. we are not talking about protecting every individual user, we are talking about the properties of the passwords! >> >> The question is: does this password creation scheme provide sufficient protection? Yes it does. > > > Ok. I'm almost always thinking as the attacker, being my-self a "hobbyist" user of JtR. It helps a lot when I need to teach a user about what is a bad/poor password choice. This bias does not help much when I come across a work like yours. Thanks for the explanations. It is a good bias too, when we understand the "game" we need to know the strategies of the both sides. You gave us an important clue: passphrases composed of "commonly used words" will have priority in the attacker's dictionary. That improves our global understanding of the password strength.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.