[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnupg-users
Subject:    Re: A better way to think about passwords
From:       "Robert J. Hansen" <rjh () sixdemonbag ! org>
Date:       2011-04-22 18:17:45
Message-ID: 4DB1C649.3080101 () sixdemonbag ! org
[Download RAW message or body]

On 4/22/11 10:04 AM, Nicholas Cole wrote:
> What I meant was rather this: there are several strategies that
> produce good passwords.  Teaching them requires (at some employers) a
> 30 minute course or the reading of a web page.  However, forcing any
> *particular* strategy onto users will dramatically reduce the time it
> takes to guess a password, since knowing the strategy reduces the
> number of possibilities dramatically.

Let's have a thought experiment: your particular situation is such that
you want attackers to face at least a 9-bit keyspace, but you also want
to disqualify easy, commonly-used keys.

Answer: tell users their passwords must be any number between 0 and 999
inclusive, except that it can't be in the range 0-9, or be any two- or
three-character repeating password (no 11, no 222, no 33, but 331 is
fine).  This is meant to keep people from choosing weak passwords.  This
has the net effect of striking 10 (0-9) + 9 (11+22+33... etc.: note that
00 is already struck under the "no 0-9" rule) + 9 (111+222+333... etc.)
= 28 possibilities.

You've reduced the original 9.97-bit keyspace to 9.92 bits, which still
exceeds your requirements.  At the same time, you're preventing users
from choosing trivially weak and easily guessable passwords.

Your observation is correct only if excluding certain passphrases causes
the entropy of the keyspace to drop below your requirements.  Otherwise,
there's no problem with strategy enforcement.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]