15 Jun
2009
15 Jun
'09
12:48 p.m.
On Jun 15, 2009, at 12:09 PM, Dan Gahlinger wrote:
yeah that doesn't work either.
a hard password of lesser length is harder to crack.
The definition of "hard password" is generally one that is resistant
to dictionary or social attack. By that definition you've failed to
demonstrate that the passphrase I supplied in my previous example is
any more vulnerable that "C0pp3rB0tt0m" or "i013ac$Z". In the absence
of the ability to conduct a successful dictionary attack the
difficulty of brute-forcing a passsphrase is a direct function of the
length of the passphrase and the character space from which the
passphrase is chosen. In such a context passphrases have a clear
advantage, as it's easier for humans to remember sequences of words as
opposed to semi-random collections of characters, thus encouraging a
much longer length while discouraging the tendency to write down
passwords that are difficult to remember.
windows doesn't have 128 character passwords AFAIK
(I could be wrong),
but it also has a well-known algorithm,
FWIW, you're the one who introduced Windows into this discussion;
Gene's original comment had precisely nothing to do with Windows and
while your comments are valid relative to Windows that's not the
context for the conversation.
check out 0phcrack or the new version of L0phtCrack,
they will show portions of the password as they crack,
allowing you to more easily "guess" passwords as it's running.
You seem to be confusing a bad implementation of the translation of
plaintext to cryptotext and the poor storage of said cryptotext with
the relative security of passphrases vs. passwords. The two are
utterly distinct.
I remember a password that was
"AAAA####" and the program showed the alphabetic part,
was working on the numeric showing "????"
but because the alpha part shown was "Indy", I guessed the #s was a
year,
therefore I had the password in less than 30 seconds.
In order to produce a partial password the program in question must
either have access to the resulting cryptotext for the password in
question or have the Great Karnack module installed which allows it to
know things without having any way to know them. For the purposes of
the point that Gene raised getting hung up on Windows (or, for that
matter, Unix v7 or anything else that makes encrypted authentication
information visible) as a counterexample is useless. Any
authentication system designed in the past decade by anyone with
intelligence exceeding that of a pine martin is going to employ a
relatively sophisticated transform (i.e., not crypt() and not an
MD5sum) and isn't going to allow you to see the stored cryptotext,
meaning that you're actually going to have to submit each password to
the system for authentication rather than have some program magically
spew it out to you.
--
Chris Kennedy
chris at mainecoon.com AF6AP
http://www.mainecoon.com PGP KeyID 108DAB97
PGP fingerprint: 4E99 10B6 7253 B048 6685 6CBC 55E1 20A3 108D AB97
"Mr. McKittrick, after careful consideration..."