[Air-L] Fwd: most popular passwords (Sari)

Seda Guerses sguerses at esat.kuleuven.be
Tue Nov 9 04:04:06 PST 2010

this is a belated answer to the password discussion and what counts as  
a secure password.

there was a recent paper at ccs on why entropy based metrics (or for  
that matter most other universal metrics) do not provide formulas for  
secure passwords, since the attacker models cannot be foreseen. the  
authors state in their conclusion:

Our experiments categorically show that the notion of password
entropy, as put forward in the NIST SP800-63 document, does not
provide a valid metric for measuring the security provided by
password creation policies. This is not to cast dispersions at the
rest of the SP800-63 document which is otherwise of the highest
quality. Furthermore, we validated the findings in [7], using
empirical evidence, that there is no way to convert the notion of
Shannon entropy into the guessing entropy of password creation

the author has since written some further blog posts discussing the  

nevertheless, knowing the most popular passwords is probably in itself  
important feedback to any "root", if not non-root users,

Message: 2
Date: Thu, 4 Nov 2010 00:30:59 +0100
From: Sari <angyjoe at gmail.com>
To: air-l at listserv.aoir.org
Subject: Re: [Air-L] Fwd: most popular passwords
	<AANLkTinwtg8L-t-kPBWUOUecNfHGz0CW9vzjP5xHbRmC at mail.gmail.com>
Content-Type: text/plain; charset=windows-1252

I just love the password generator
http://keepass.info/screenshots/pwgen_big.png in Keypass. You can  
easily get
a password that is strong enough (in bits please, NOT in number of  
to remain secure over your entire life time?

I know, you won't be able to remember it (of course, I don't), but you  
always save it in an encrypted Keypass database. For portability, copy  
database to your memory stick. Lose you memory stick (I did)? No  
since the database is safeguarded under AES 256 bit.

AES might not stay safe for a long time to come though, see the recent:


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

More information about the Air-L mailing list