[Air-L] Fwd: most popular passwords (Sari)

Sari angyjoe at gmail.com
Wed Nov 10 21:09:00 PST 2010


Leuven my baaaaaaby!
Beautiful you are!

/Sari


On Tue, Nov 9, 2010 at 1:04 PM, Seda Guerses <sguerses at esat.kuleuven.be>wrote:

>
> this is a belated answer to the password discussion and what counts as a
> secure password.
>
> there was a recent paper at ccs on why entropy based metrics (or for that
> matter most other universal metrics) do not provide formulas for secure
> passwords, since the attacker models cannot be foreseen. the authors state
> in their conclusion:
>
> Our experiments categorically show that the notion of password
> entropy, as put forward in the NIST SP800-63 document, does not
> provide a valid metric for measuring the security provided by
> password creation policies. This is not to cast dispersions at the
> rest of the SP800-63 document which is otherwise of the highest
> quality. Furthermore, we validated the findings in [7], using
> empirical evidence, that there is no way to convert the notion of
> Shannon entropy into the guessing entropy of password creation
> policies.
>
> the author has since written some further blog posts discussing the
> results:
>
> http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metrics.html
>
> nevertheless, knowing the most popular passwords is probably in itself
> important feedback to any "root", if not non-root users,
> cheers,
> s.
>
>
> Message: 2
> Date: Thu, 4 Nov 2010 00:30:59 +0100
> From: Sari <angyjoe at gmail.com>
> To: air-l at listserv.aoir.org
> Subject: Re: [Air-L] Fwd: most popular passwords
> Message-ID:
>        <AANLkTinwtg8L-t-kPBWUOUecNfHGz0CW9vzjP5xHbRmC at mail.gmail.com>
> Content-Type: text/plain; charset=windows-1252
>
> I just love the password generator
> http://keepass.info/screenshots/pwgen_big.png in Keypass. You can easily
> get
> a password that is strong enough (in bits please, NOT in number of symbols)
> to remain secure over your entire life time?
>
>
>
> I know, you won't be able to remember it (of course, I don't), but you can
> always save it in an encrypted Keypass database. For portability, copy that
> database to your memory stick. Lose you memory stick (I did)? No problem,
> since the database is safeguarded under AES 256 bit.
>
>
>
> AES might not stay safe for a long time to come though, see the recent:
> http://portal.acm.org/citation.cfm?id=1713127
>
>
>
> /Sari
>
>
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
> _______________________________________________
> The Air-L at listserv.aoir.org mailing list
> is provided by the Association of Internet Researchers http://aoir.org
> Subscribe, change options or unsubscribe at:
> http://listserv.aoir.org/listinfo.cgi/air-l-aoir.org
>
> Join the Association of Internet Researchers:
> http://www.aoir.org/
>



-- 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Desktop 9.5.0 (Build 1202)

mQCNBEgtLgoBBACqQYBgYCY40SblWGbTcrvwCngPrjx2CNtcfR/ATvZ4mbF/xHgy
SzV6+XRs76hgAv0K2AG+i4UjDwRRJfb8HPe8DVtsyOQNPFtZO9Gk700aD7MndwlF
m7HrGwc5uBfnH6iUws1o/Z1J7i+5fUfk3mew/b3532WxLvDi+QUSxlsKdQARAQAB
tCRTYXJpIEhhaiBIdXNzZWluIDxhbmd5am9vQHlhaG9vLmNvbT6JAPIEEAECAFwF
AkgtL4UwFIAAAAAAIAAHcHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBncC5jb21w
Z3BtaW1lCAsJBwgDAgEKAhkBBRsDAAAABBYDAgEFHgEAAAAHFQgCCgkDAQAKCRCy
i48IPBmZbZoNA/0ckC3rWxoe/Jf66+YauicNtH8zZmr9Y7dypV+yZm/vrkAtffcY
1VKMhj9YMpqwzylP/nomuG211bWoGhMzAb7CAho1tS3KXtUNZzLj1U5hvRtWfrWc
dipwY3YJbnaFdkzIi9xj3HMZ4BKHQZtBKjwru6HafQF2smokS8yjxTKELA==
=9/vk
-----END PGP PUBLIC KEY BLOCK-----



More information about the Air-L mailing list