[LINK] Millions of LinkedIn passwords leaked online
Kim Holburn
kim at holburn.net
Fri Jun 8 11:43:26 AEST 2012
On 2012/Jun/08, at 7:58 AM, Glen Turner wrote:
> On 07/06/12 15:32, Richard Chirgwin wrote:
>> I prefer the XKCD approach to passwords:
>> http://xkcd.com/936/
>
> The math in that is wrong, because in practice the choice of words is
> not independent of the other words.
>
> Consider that people will avoid anti-grammatical word selection and
> order. eg: the odds of five verbs are less than randomness would
> suggest; the probability of word order following a common grammatical
> construct is higher than the probability of the word order being random.
>
> Your GumnutsFiveAntsCuttingSunflowers is a fine example of the point, with
> ADJECTIVE NOUN
> and
> NOUN VERB NOUN
> rather than ordering independent of grammar.
The size of the symbol space of words is far greater than that of letters. Even if you account for the lowering of information entropy due to usage (phrases etc) it's still huge. If you add misspellings etc it's greater still. If you look at a password as a number of words then 5 random words has an entropy of around 14 random lower case letters. And that's only using an 8000 word list.
(https://en.wikipedia.org/wiki/Password_strength#Random_passwords)
> Which isn't to say that Gumnuts password isn't better than 99% of them.
> Which is the essential issue with passwords, and why we need to stop
> using them and start using authentication devices and federated
> authentication instead.
>
> --
> Glen Turner www.gdt.id.au/~gdt
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
--
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link
mailing list