evilthought2 Wrote:Lars Wrote:"The article goes on to explain how dictionary attacks work, how well they do, and the sorts of passwords they find."
https://www.schneier.com/blog/archives/ ... ood_a.html
I left a comment on his page ..
https://www.schneier.com/blog/archives/ ... nt-3570382
I doubt he will respond thoughI'd stay away from dictionary-based passwords anyday!!
You shouldn't, as they are better passwords as not only a user can remember them easily but they are often stronger (more entropy) -- this advice is especially true when a user is not using a password manager like Laspass. The only care that must be taken is that words chosen should be randomly selected, as humans are not good at randomly selecting words.
My experience is that people who start to reason about the usefulness of passphrases and exclude math in that reasoning, like your opponents, cannot be convinced of the advantages of phrases. This thread is another proof of that. (I also left a comment on the refereed page )
Besides the math of passphrases, I find the following pages convincing:
- A comparison table between the strength of various password length and complexities, also including pass phrases, see https://en.wikipedia.org/wiki/Password_strength
- A nice graphic that also includes dictionary lengths in the comparison, see http://blog.webernetz.net/?s=password
- And to do the math and analysis: my own pass phrase generator and analyzer, see http://itura.nl/simthrow.html
There is one aspect I miss in the discussion here. Many sites still do not accept pass phrases or make the use impossible. I often have to append a phrase with A1* just to meet the site's PW requirement of using at least a Capital and a number and a symbol.
Sites like Skype, PayPal, eBay limit passwords to 20 characters. An average word length of ~5 would allow for a 4 word phrase which is to short for those sites, I think. (Some do allow 2 factor authorization though)
And also LastPass calculates the strength of a pure phrase as low, I sometimes get a warning of that.
But there is hope! IT services at Stanford University introduced new password requirements, see http://itservices.stanford.edu/service/accounts/passwords
It's a kind of gliding scale, balancing length and complexity requirements:
- So a PW length of less than 12 characters requires the use of all character types: aA1*
- Above 20 character lengths, there is no complexity requirement, so pass phrases would fit in well. They even have a note about using pass phrases.