You are here

Passwords and Entropy

Entropy with decimal diceMy friend and colleague Al Dowd pointed me to Troy Hunt's blog post last April on password entropy.

A nice thing about this posting is that it talks a lot about Rainbow Tables and how they relate to password attacks. There aren't many good, general discussions out there of Rainbow Tables. While working on the textbook, I skipped the topic for two reasons: 1) it's a specific case of some general techniques I talked about already, and this is supposed to be an introductory textbook, and 2) none of the curriculum standards I followed demanded me to cover it.

I've been fantasizing about constructing some animated diagrams to illustrate various basic concepts, but I haven't gotten to it quite yet.

Post category: 


You might consider covering some persistent myths such as:

Myth: If I use a 6-character password that that isn't a "word" in any printed dictionary, I'm immune to dictionary attacks.

Myth: If I use a passphrase composed entirely of 6 dictionary words, an attacker can easily guess it using a "dictionary attack".

Here's a couple of examples of that myth in the wild:

"if your cracker suspects that you use multiple dictionary words then he'll just use dictionary words concatenated together and wont do a brute force attack at all."[1]

"For a cracker, a fast way to guess a password is only offered when you do something predictable, like use something short, that's easy to memorize or something that consists of common words, or combinations of letters that you find in dictionaries. Stay away from those"[2]

I suspect that where these people are going wrong is:
Myth: Since an attacker can guess a single dictionary word in much less than a day, if he suspects I am using a passphrase of 6 dictionary words, he can guess my 6-word Diceware passphrase in much less than 6 days.

I remember the general truth about passwords: new passwords are most easily remembered if you start using   them immediately, and use them often.  Don't change your password   at the end of the day, the end of the week, or before a holiday.   Instead, change your password in the morning, at the start of the week.   Your mind will be clearer, and frequent use of the new password will   reinforce your memory.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer