Monday, June 09, 2008
Password complexity vs length
I have always chosen complex passwords over longer passwords, but which is actually most secure?
Lets consider a standard password creation scheme where we use a phrase and take the first letter of each word and substitute the occasional letter with punctuation or a number. So "Mary had a little lamb its fleece was white as snow" would become Mh4l1ifwWa$ - nice and complex. But how does that compare against a password like "mary had a little lamb."
Lets calculate the keyspace, in the complex password example each, of the 11 characters has 72 possible combinations assuming 26 uppercase, 26 lowercase, 10 digits and 10 punctuation characters. In the long password example each of the 23 characters can have 30 possible combinations assuming 26 lowercase and 4 punctuation (space, comma, fullstop and exclamation mark).
Complex password = possible combinations to the the power of the length = 72^11 = 2.7 x 10^20
Long password = possible combinations to the the power of the length = 30^23 = 9.4 x 10^33
So "mary had a little lamb." is 34,924,596,548,080 times more complex than Mh4l1ifwWa$. Length trumps complexity!
Lets consider a standard password creation scheme where we use a phrase and take the first letter of each word and substitute the occasional letter with punctuation or a number. So "Mary had a little lamb its fleece was white as snow" would become Mh4l1ifwWa$ - nice and complex. But how does that compare against a password like "mary had a little lamb."
Lets calculate the keyspace, in the complex password example each, of the 11 characters has 72 possible combinations assuming 26 uppercase, 26 lowercase, 10 digits and 10 punctuation characters. In the long password example each of the 23 characters can have 30 possible combinations assuming 26 lowercase and 4 punctuation (space, comma, fullstop and exclamation mark).
Complex password = possible combinations to the the power of the length = 72^11 = 2.7 x 10^20
Long password = possible combinations to the the power of the length = 30^23 = 9.4 x 10^33
So "mary had a little lamb." is 34,924,596,548,080 times more complex than Mh4l1ifwWa$. Length trumps complexity!
Labels: Security
Sunday, January 27, 2008
Security Focus Pen-Test List Most Annoying Top 3
I have been a subscriber to the Security Focus Pen-Test mailing list for a long time. Over the years the same questions keep coming up and I wish the moderators would stop letting them through. I have compiled my Top 3 Most Annoying questions on the Pen-Test list.
- What's the best way to learn?/How do I set up a lab?
This is essentially the same question with the same answer... Virualization. Use free VMWare server and download free tools and practice against your own machines, not other peoples without permission. - What's the best OS/Linux/Bootable CD for Pen-Testing?
Backtrack - bootable or install it. Any Linux. Windows with Co-Linux or Cygwin. - How to I report a vendor vulnerability?
OK this is just bragging or attention seeking. There is lots of doco on the net about how to do this.
Labels: Security
