Re: [security flaw] Ubuntu is a plain text offender

On 5/23/2011 11:58 AM, Kent Borg wrote:
Steve Flynn wrote:
Acorss 54 sites, my average password length is 20.1 bytes (I try to
generate 32 byte passwords by default but some sites restrict me down
to say 12).

Be warned that sometimes passwords are silently truncated to just a few
bytes, accepting long passwords, but ignoring all the good entropy.

Also, I count my passwords in bits of entropy, not bytes of ASCII. That
is, I don't generate passwords by thinking up something that *seems*
random and measure the output, rather I use a real random source to
chose the content and measure the input. For example, if you had a list
of 64-words, you could use 6-coin tosses to select on word from the
list. (2^6=64), so one word so chosen has 6-bits of entropy. If you use
a longer word list and repeat, it is possible to come up with a easy to
remember passphrase that is pretty good.

For example: "beauty-alias-citizen" or "budget-sunset-radio" each have
32-bits of entropy. (I have a program that does that.)

Actually, 'beauty-alias-citizen' has between 86 and 94 (rounded) bits of
entropy depending on your math and method of calculation. And it's a
very weak password. Aside from having under 100 random bits of entropy,
entropy alone cannot decide password strength.

A.) PIN Passwords [0-9] each letter has 3.3219 bits
B.) Simple Hex Passwords [a-z, 0-9] each letter has 4 bits

It goes up from there

1.) Your password is vulnerable to dictionary attacks.
2.) Your password is vulnerable to common brute force attacks.
3.) Your password contains a single repeated ASCII symbol.

A.) Pass should contain multiple symbols.
B.) Pass should contain letters and numbers, upper and lower.
C.) Pass should have at least 2 characters that repeat (non-sequential)

The list goes on but it's not my job to lecture you on how bad that pass
is, it's just my job to correct the bad math and then give tips.

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)
    ... When they see that you can find passwords so easily, they will start demanding better passwords. ... difficult to convince them to go much further past 6 characters. ... entropy per ... bits than DES) but not a home computer assuming MD5 is not harder than ...
    (Firewall-Wizards)
  • Re: MD5 for passwords
    ... lessen the entropy present? ... would not be such as to make the hash less secure than than passwords. ... amount of entropy. ...
    (sci.crypt)
  • Re: MD5 for passwords
    ... the hashes are publicly available. ... MD5 ten thousand times) to make dictionary search as expensive as ... lessen the entropy present? ... would not be such as to make the hash less secure than than passwords. ...
    (sci.crypt)
  • Re: ssh gives "Permission denied, please try again"
    ... possibly have enough entropy to be secure. ... as secure as those Debian generated keys... ... If you always pick passwords whose first four letters are 'A' you're ... I've seen a lot of dictionary attacks, ...
    (uk.comp.os.linux)
  • RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)
    ... A byte is 2 hex digits so a purely random hex password has 8 bits of entropy. ... This improves passwords a little. ... So, we need 16 random hex characters, or 10 random typeables. ...
    (Firewall-Wizards)