From owner-freebsd-security Wed Jun 19 22: 8:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id B8B7937B41E for ; Wed, 19 Jun 2002 22:08:17 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5K53h9g049482; Thu, 20 Jun 2002 01:03:44 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Ryan Thompson'" , "'Bill Moran'" Cc: Subject: RE: Password security Date: Thu, 20 Jun 2002 00:08:14 -0500 Message-ID: <001b01c21818$7c748d10$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020619154831.Q32240-100000@ren.sasknow.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ryan Thompson wrote to Bill Moran: [...] Yes, certainly. Calculating the entropy of that beast would be a bit difficult... One could just say 26^20, but if I know (or guess) it's English, and every letter doesn't occur with nearly the same probability, it's less than that. If I happen to know your algorithm, and have a dictionary of poetry and/or lyrics handy, it's a *lot* less than that. If you can mix upper/lower and add punctuation (i.e., "Lo, Fred's chickens laid 24 eggs!" => "L,F'scl2e!", makes for a stronger password). More stats than I'd like to do at the moment. :-) [...] What I failed to point out was that, if you're using FreeBSD, which I assume you as you're posting to this group, the FreeBSD login utility still only recognizes 8 character passwords, unless you've changed that. A 20 character password will still do you no good since: ad93fj93ja@#9cjf@jfd is looked at as the exact same password as: ad93fj93e93jf!edkjie Just a thought.... Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message