[Full-disclosure] Diceware method adoption - brute force me if you dare
jf at danglingpointers.net
Thu Mar 13 02:49:27 GMT 2008
police officers (in the states) wear bullet proof vests because there is a
high probability of them getting shot/shot at, do you think that somehow makes it legal?
On Wed, 12 Mar 2008, M.B.Jr. wrote:
> Date: Wed, 12 Mar 2008 16:15:56 -0300
> From: M.B.Jr. <marcio.barbado at gmail.com>
> To: Full-Disclosure mailing list <full-disclosure at lists.grok.org.uk>
> Subject: [Full-disclosure] Diceware method adoption - brute force me if you
> Dear list,
> I was studying this passphrase creation method called Diceware:
> In it, one rools a common dice five times, write down the results, in
> a sequential manner, and then check the suggested word in the
> DICTIONARY they provide.
> You got that? The method is supposed to give the user the words to use.
> Say your results were "5;6;1;5;3", then you check their table and the
> word listed under that number sequence is "sus"; well, that's the
> (pretty short) word to use in your passphrase.
> A 46,656 (6^6) word dictionary, publicly available. The method is
> clearly one bad choice for password creation but it's fairly
> acceptable for obtaining passphrases and concerning the latter, it
> assumes that eventual attackers know the referred dictionary, however
> offering a low guessing probability (high information entropy) for
> Despite the "rite of passage" idea in which the target stops trying to
> hide and starts expecting attacks as a certainty, my point here is
> Doesn't adopting the Diceware method in a, say, government corporative
> environment means legalizing brute force attacks?
> Yours faithfully,
Full-Disclosure is hosted and sponsored by Secunia.