On 7 Mar 2015, at 10:41, Björn Persson wrote:
Mike Pinkerton wrote:
On 6 Mar 2015, at 23:49, Adam Williamson wrote:
On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote:
I hope https://xkcd.com/936/will be among the inputs to that
discussion.
I'm fond of noting that pwquality has not yet blacklisted any
variant
of correcthorsebatterystaple. I've been using correcthorse as my
stock
anaconda testing password, since the strength check has been
enforced...
It won't stand up to a combinator attack:
<https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html>
It's not entirely clear, but I guess you mean that a two-word
combination like "correct horse" won't stand up. That appears to be
true. A four-word phrase is an entirely different matter. Each
additional word increases the complexity exponentially, so doubling
the
number of words squares the number of possible combinations.
The "combinator" attack that is described in the Ars Technica article
that Bruce Schneier quotes in the above link appears to be an attack
that tries combinations of multiple words from one or more of the
attacker's word lists. Certainly adding more words to the pass-
phrase would make that more difficult. As I don't know the current
state of the art in password cracking, I don't know whether attackers
typically limit their attacks to only two words, or extend to three
or more words.
The catch is that the words must be *randomly* chosen. XKCD doesn't
stress that point much, and humans are notoriously bad at choosing
randomly. I suspect that many people make up some highly nonrandom
four-word passphrase and think they have a "correct horse battery
staple"-quality passphrase.
I don't think randomness matters at all, only whether the words are
in the word list(s) used by the attacker. In the Ars Technica
article, one attacker was using multiple lists, one of which included
111 million words. Another attacker limited himself to a list of 14
million words -- which were real-world passwords that were exposed in
an SQL-injection hack several years ago. Note that these "words" are
simply strings -- some might be recognizable as "words" in a spoken
or written language, while others are just character strings (e.g.,
"momof3g" or "8kids") that the attacker has culled from one source or
another.
--
Mike
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
