[Air-L] Fwd: most popular passwords (Sari)

Sari angyjoe at gmail.com
Wed Nov 10 21:09:00 PST 2010

Leuven my baaaaaaby!
Beautiful you are!


On Tue, Nov 9, 2010 at 1:04 PM, Seda Guerses <sguerses at esat.kuleuven.be>wrote:

> this is a belated answer to the password discussion and what counts as a
> secure password.
> there was a recent paper at ccs on why entropy based metrics (or for that
> matter most other universal metrics) do not provide formulas for secure
> passwords, since the attacker models cannot be foreseen. the authors state
> in their conclusion:
> Our experiments categorically show that the notion of password
> entropy, as put forward in the NIST SP800-63 document, does not
> provide a valid metric for measuring the security provided by
> password creation policies. This is not to cast dispersions at the
> rest of the SP800-63 document which is otherwise of the highest
> quality. Furthermore, we validated the findings in [7], using
> empirical evidence, that there is no way to convert the notion of
> Shannon entropy into the guessing entropy of password creation
> policies.
> the author has since written some further blog posts discussing the
> results:
> http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metrics.html
> nevertheless, knowing the most popular passwords is probably in itself
> important feedback to any "root", if not non-root users,
> cheers,
> s.
> Message: 2
> Date: Thu, 4 Nov 2010 00:30:59 +0100
> From: Sari <angyjoe at gmail.com>
> To: air-l at listserv.aoir.org
> Subject: Re: [Air-L] Fwd: most popular passwords
> Message-ID:
>        <AANLkTinwtg8L-t-kPBWUOUecNfHGz0CW9vzjP5xHbRmC at mail.gmail.com>
> Content-Type: text/plain; charset=windows-1252
> I just love the password generator
> http://keepass.info/screenshots/pwgen_big.png in Keypass. You can easily
> get
> a password that is strong enough (in bits please, NOT in number of symbols)
> to remain secure over your entire life time?
> I know, you won't be able to remember it (of course, I don't), but you can
> always save it in an encrypted Keypass database. For portability, copy that
> database to your memory stick. Lose you memory stick (I did)? No problem,
> since the database is safeguarded under AES 256 bit.
> AES might not stay safe for a long time to come though, see the recent:
> http://portal.acm.org/citation.cfm?id=1713127
> /Sari
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
> _______________________________________________
> The Air-L at listserv.aoir.org mailing list
> is provided by the Association of Internet Researchers http://aoir.org
> Subscribe, change options or unsubscribe at:
> http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
> Join the Association of Internet Researchers:
> http://www.aoir.org/

Version: PGP Desktop 9.5.0 (Build 1202)


More information about the Air-L mailing list