User: Password:
Subscribe / Log in / New account



Posted Oct 18, 2011 0:25 UTC (Tue) by dlang (subscriber, #313)
In reply to: XKCD by rgmoore
Parent article: Enforcing password strength

remember that predictable to the attacker is not the same as predictable to the user. something may be very predictable to one particular user, but attackers can't assume that users will do that.

that being said, I see a common mistake in a lot of people making passwords where they are attempting to make good passwords.

if you _always_ replace a with @, o with 0, l with 1, t with 7, etc you aren't really much better off than using the plain text. enough people make these substatutions, and make them _every_ time the potential comes up, that doing so doesn't significantly increase the problem space.

(Log in to post comments)


Posted Oct 18, 2011 1:42 UTC (Tue) by nlucas (subscriber, #33793) [Link]

Right, but the article doesn't say the padding must be simple things like "......" or "+++++".

You can decide to pad "dog" with "qw34rty", like "dogqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rtyqw34rty", and even if they are repetitions I doubt this will be on any rainbow table.

The magic is just to decide on a padding that in effect is random to the attacker, like "9fe8jn" repeated 20 times, added to simple dictionary words.

The point of the article is that, as long as one doesn't copy padding techniques from a friend, they are more secure passwords than a simple 10 characters random one.

The major problem with this is stupid sites that restrict password length, which by itself shows that the site security is not trustworthy, whatever secure password you choose.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds