Re: [Air-L] Fwd: most popular passwords (Sari)
this is a belated answer to the password discussion and what counts as a secure password. there was a recent paper at ccs on why entropy based metrics (or for that matter most other universal metrics) do not provide formulas for secure passwords, since the attacker models cannot be foreseen. the authors state in their conclusion: Our experiments categorically show that the notion of password entropy, as put forward in the NIST SP800-63 document, does not provide a valid metric for measuring the security provided by password creation policies. This is not to cast dispersions at the rest of the SP800-63 document which is otherwise of the highest quality. Furthermore, we validated the findings in [7], using empirical evidence, that there is no way to convert the notion of Shannon entropy into the guessing entropy of password creation policies. the author has since written some further blog posts discussing the results: http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metri... nevertheless, knowing the most popular passwords is probably in itself important feedback to any "root", if not non-root users, cheers, s. Message: 2 Date: Thu, 4 Nov 2010 00:30:59 +0100 From: Sari <angyjoe@gmail.com> To: air-l@listserv.aoir.org Subject: Re: [Air-L] Fwd: most popular passwords Message-ID: <AANLkTinwtg8L-t-kPBWUOUecNfHGz0CW9vzjP5xHbRmC@mail.gmail.com> Content-Type: text/plain; charset=windows-1252 I just love the password generator http://keepass.info/screenshots/pwgen_big.png in Keypass. You can easily get a password that is strong enough (in bits please, NOT in number of symbols) to remain secure over your entire life time? I know, you won't be able to remember it (of course, I don't), but you can always save it in an encrypted Keypass database. For portability, copy that database to your memory stick. Lose you memory stick (I did)? No problem, since the database is safeguarded under AES 256 bit. AES might not stay safe for a long time to come though, see the recent: http://portal.acm.org/citation.cfm?id=1713127 /Sari Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Leuven my baaaaaaby! Beautiful you are! /Sari On Tue, Nov 9, 2010 at 1:04 PM, Seda Guerses <sguerses@esat.kuleuven.be>wrote:
this is a belated answer to the password discussion and what counts as a secure password.
there was a recent paper at ccs on why entropy based metrics (or for that matter most other universal metrics) do not provide formulas for secure passwords, since the attacker models cannot be foreseen. the authors state in their conclusion:
Our experiments categorically show that the notion of password entropy, as put forward in the NIST SP800-63 document, does not provide a valid metric for measuring the security provided by password creation policies. This is not to cast dispersions at the rest of the SP800-63 document which is otherwise of the highest quality. Furthermore, we validated the findings in [7], using empirical evidence, that there is no way to convert the notion of Shannon entropy into the guessing entropy of password creation policies.
the author has since written some further blog posts discussing the results:
http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metri...
nevertheless, knowing the most popular passwords is probably in itself important feedback to any "root", if not non-root users, cheers, s.
Message: 2 Date: Thu, 4 Nov 2010 00:30:59 +0100 From: Sari <angyjoe@gmail.com> To: air-l@listserv.aoir.org Subject: Re: [Air-L] Fwd: most popular passwords Message-ID: <AANLkTinwtg8L-t-kPBWUOUecNfHGz0CW9vzjP5xHbRmC@mail.gmail.com> Content-Type: text/plain; charset=windows-1252
I just love the password generator http://keepass.info/screenshots/pwgen_big.png in Keypass. You can easily get a password that is strong enough (in bits please, NOT in number of symbols) to remain secure over your entire life time?
I know, you won't be able to remember it (of course, I don't), but you can always save it in an encrypted Keypass database. For portability, copy that database to your memory stick. Lose you memory stick (I did)? No problem, since the database is safeguarded under AES 256 bit.
AES might not stay safe for a long time to come though, see the recent: http://portal.acm.org/citation.cfm?id=1713127
/Sari
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm _______________________________________________ The Air-L@listserv.aoir.org mailing list is provided by the Association of Internet Researchers http://aoir.org Subscribe, change options or unsubscribe at: http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
Join the Association of Internet Researchers: http://www.aoir.org/
-- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP Desktop 9.5.0 (Build 1202) mQCNBEgtLgoBBACqQYBgYCY40SblWGbTcrvwCngPrjx2CNtcfR/ATvZ4mbF/xHgy SzV6+XRs76hgAv0K2AG+i4UjDwRRJfb8HPe8DVtsyOQNPFtZO9Gk700aD7MndwlF m7HrGwc5uBfnH6iUws1o/Z1J7i+5fUfk3mew/b3532WxLvDi+QUSxlsKdQARAQAB tCRTYXJpIEhhaiBIdXNzZWluIDxhbmd5am9vQHlhaG9vLmNvbT6JAPIEEAECAFwF AkgtL4UwFIAAAAAAIAAHcHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBncC5jb21w Z3BtaW1lCAsJBwgDAgEKAhkBBRsDAAAABBYDAgEFHgEAAAAHFQgCCgkDAQAKCRCy i48IPBmZbZoNA/0ckC3rWxoe/Jf66+YauicNtH8zZmr9Y7dypV+yZm/vrkAtffcY 1VKMhj9YMpqwzylP/nomuG211bWoGhMzAb7CAho1tS3KXtUNZzLj1U5hvRtWfrWc dipwY3YJbnaFdkzIi9xj3HMZ4BKHQZtBKjwru6HafQF2smokS8yjxTKELA== =9/vk -----END PGP PUBLIC KEY BLOCK-----
participants (2)
-
Sari -
Seda Guerses