Date: Fri, 17 May 2002 19:46:52 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: security@freebsd.org Subject: Re: How secure is a password and how many characters does it allow? Message-ID: <20020517194652.I1494@shell.gsinet.sittig.org> In-Reply-To: <2079.213.112.58.238.1021587760.squirrel@phucking.kicks-ass.org>; from z3l3zt@phucking.kicks-ass.org on Fri, May 17, 2002 at 12:22:40AM %2B0200 References: <007901c1fd27$02f29a10$fa00a8c0@elixor> <2079.213.112.58.238.1021587760.squirrel@phucking.kicks-ass.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 17, 2002 at 00:22 +0200, Jesper Wallin wrote:
>
> How will that effect my security? Isn't it more secure to use 128 characters
> instead of 8? Sounds like, if the security was the same the blowfish would
> be default or something similar.. What do You recommend?
[ not only replying to "you", Jesper, but to the general audience ]
You probably missed one important point: If you merely make
a password longer by using prose you don't increase the
entropy(sp?). The result is no gain in security while you
grow a false feeling of safety -- i.e. you effectively lower
your security!
"Longer" is not necessarily better, "more unpredictable" is.
While real language words have roundabout one bit of entropy
per character one should use a password generator or -- to get
a non guessable word with enough characters while it's still
not in a dictionary -- think of a sentence and pick the first
(last / every second / choose something) character of the words.
This usually results in three to four bits of entropy per
character. A seven letter password can be stronger than a
twenty letter word.
And yes, while in the traditional DES algorithm only the first
eight characters are significant (while you can type as many
as you want to) alternative algorithms use more significant
characters (MD5: 128) or stronger/faster hashing methods (f.e.
blowfish lets you tune the number of iterations it does, to
balance the speed of verification and the cost of brute forcing
passwords). The reason they are not enabled by default is
keeping compatibility to those platforms which don't support
alternative algorithms in heterogenous(sp?) environments. When
all the machines / systems in your environment support MD5 or
blowfish, you're free to switch to those more modern algorithms.
Otherwise you would get into trouble when using networked user
databases.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020517194652.I1494>