Secure passwords?

Which of these two passwords should be the most secure one:

1. "Jag undrar vaad som aar ett sakert"

2. "XVg6Gtzw"

The first one is far more easy to understand for me since it is a
somewhat incorrectly spelled sentence (in Swedish) whereas the other is
8 very cryptic characters not easy to remember.

To me it the first one seems much more secure since it has so many more
characters and therefore should take far longer to bruce force than the
other. Dictionary attacks should also be rather useless since the words
are incorrectly spelled and also it is a sentence and not a word. The
sentence with similar mispellings would in English be something like:

"I wooonder what iss a secuure"

So what are you opinions?

AV

AV <> wrote in news:Hjnjf.39378
$:

> Which of these two passwords should be the most secure one:
>
> 1. "Jag undrar vaad som aar ett sakert"
>
> 2. "XVg6Gtzw"
>
> The first one is far more easy to understand for me since it is a
> somewhat incorrectly spelled sentence (in Swedish) whereas the other is
> 8 very cryptic characters not easy to remember.
>
> To me it the first one seems much more secure since it has so many more
> characters and therefore should take far longer to bruce force than the
> other. Dictionary attacks should also be rather useless since the words
> are incorrectly spelled and also it is a sentence and not a word. The
> sentence with similar mispellings would in English be something like:
>
> "I wooonder what iss a secuure"
>
> So what are you opinions?
>



My personal preference has always been for passphrases rather than
passwords. Because of the peculiarities of human memory it is possible to
remember a passphrase of much higher entropy than a password. For
example:

"A purple aardvark cavorts in a grotto of kumquat rinds."

This sentence, while too short, has been chosen to illustrate the
principle.

One can then "harden" the passphrase in a number of ways, such as:

Put two or three spaces between words and fill them with uncommon
characters and numbers in some half-assed memorizable pattern. For
instance:

"A1)Purple2(aardvark*3cavorts&5in^8a%13grotto%21of $34kumquat#55rinds."

(I used a very primitive pattern for illustration: top-row special
characters and the - slightly mangled - Fibonacci numbers, both in
order!)

You might also capitalize following some non-standard pattern, such as
the first and last letter of each word.

"A1)PurplE2(AardvarK*3CavortS&5IN^8A%13GrottO%21OF $34KumquaT#55RindS."

The nice thing about such passphrases is that they can often be
"assembled" in the input window just as I did above, rather than entered
directly in final form.

Now the principle in choosing passphrases says that the passphrase should
have (at least) as much entropy as the underlying algorithm (e.g., AES
12. Here's some condensed theory:

Choose words *randomly* (curb your prejudices and preferences!) from a
word list. (The average use vocabulary of an English adult is 5000 words,
the recognition vocabulary of a well-educated college graduate is perhaps
50,000 words, and the Oxford contains somewhere around 500,000 words.)

For good measure, do not count articles, prepositions, and the like in
the word total. Ten words chosen *randomly* from a list of 10,000 would
have a probability of 10000^10 or about 133 bits - that's the length of
passphrase we need (about twice as long as my illustrative one).

My fairly conservative policy (which has no theoretical support) is to
assume that the hardening roughly compensates for the loss of entropy due
to the regularity of the English sentence structure. Others may wish to
credit it either more or less.

Regards,

nemo_outis

AV wrote:
> Which of these two passwords should be the most secure one:
>
> 1. "Jag undrar vaad som aar ett sakert"
>
> 2. "XVg6Gtzw"
>
> The first one is far more easy to understand for me since it is a
> somewhat incorrectly spelled sentence (in Swedish) whereas the other is
> 8 very cryptic characters not easy to remember.
>
> To me it the first one seems much more secure since it has so many more
> characters and therefore should take far longer to bruce force than the
> other. Dictionary attacks should also be rather useless since the words
> are incorrectly spelled and also it is a sentence and not a word. The
> sentence with similar mispellings would in English be something like:
>
> "I wooonder what iss a secuure"
>
> So what are you opinions?

http://www.google.be/search?hl=fr&q=...password&meta=
maybe ???

--
################################################## ###########
# http://users.teledisnet.be/web/ari01350/ToYKillAS.jpg #
# -=- Der Säger von St. Georg -=- #
################################################## ###########

ToYKillAS

"nemo_outis" <> wrote in
news:Xns971E87AD52377abcxyzcom@127.0.0.1:

....
> The nice thing about such passphrases is that they can often be
> "assembled" in the input window just as I did above, rather than
> entered directly in final form.
....


A few things I forgot to add:

"Assembling" a passphrase in an password input window can be severely
hampered if the window is blanked with asterisks. Here's a trick: assemble
the passphrase in the *user name* window and then cut and paste it to the
password window (afterwards, go back and fill in the user name).

For the theoretically inclined, the Shannon entropy of ordinary English
sentences is about 1.2 to 1.4 bits per character. This gives an alternate
method of calculating passphrase entropy.

Regards,

nemo_outis

#1 is weak, #2 is reasonably strong.

Try here for a strength tester and some guidelines.
http://www.securitystats.com/tools/password.php

Ken


"AV" <> wrote in message
news:Hjnjf.39378$...
> Which of these two passwords should be the most secure one:
>
> 1. "Jag undrar vaad som aar ett sakert"
>
> 2. "XVg6Gtzw"
>
> The first one is far more easy to understand for me since it is a somewhat
> incorrectly spelled sentence (in Swedish) whereas the other is 8 very
> cryptic characters not easy to remember.
>
> To me it the first one seems much more secure since it has so many more
> characters and therefore should take far longer to bruce force than the
> other. Dictionary attacks should also be rather useless since the words
> are incorrectly spelled and also it is a sentence and not a word. The
> sentence with similar mispellings would in English be something like:
>
> "I wooonder what iss a secuure"
>
> So what are you opinions?

Rusty

nemo_outis <> wrote:
> "nemo_outis" <> wrote in
> news:Xns971E87AD52377abcxyzcom@127.0.0.1:
>
> ...
>> The nice thing about such passphrases is that they can often be
>> "assembled" in the input window just as I did above, rather than
>> entered directly in final form.
> ...
>
>
> A few things I forgot to add:
>
> "Assembling" a passphrase in an password input window can be severely
> hampered if the window is blanked with asterisks. Here's a trick: assemble
> the passphrase in the *user name* window and then cut and paste it to the
> password window (afterwards, go back and fill in the user name).

Of course, this bypasses the very reason we have asterisks in password
fields, the fact that anyone can look over your shoulder and see your
password...

Joachim

jKILLSPAM.schipper@math.uu.nl

wrote in
news:438e27a2$0$95882$:

> nemo_outis <> wrote:
>> "nemo_outis" <> wrote in
>> news:Xns971E87AD52377abcxyzcom@127.0.0.1:
>>
>> ...
>>> The nice thing about such passphrases is that they can often be
>>> "assembled" in the input window just as I did above, rather than
>>> entered directly in final form.
>> ...
>>
>>
>> A few things I forgot to add:
>>
>> "Assembling" a passphrase in an password input window can be severely
>> hampered if the window is blanked with asterisks. Here's a trick:
>> assemble the passphrase in the *user name* window and then cut and
>> paste it to the password window (afterwards, go back and fill in the
>> user name).
>
> Of course, this bypasses the very reason we have asterisks in password
> fields, the fact that anyone can look over your shoulder and see your
> password...
>
> Joachim
>



Call me crazy if you will, but I'm of the opinion that you should not be
entering ANY password, whether asterisk protected or not, while someone is
looking over your shoulder.

Regards,

nemo_outis

nemo_outis wrote:
> "nemo_outis" <> wrote in
> news:Xns971E87AD52377abcxyzcom@127.0.0.1:
>
> ....
>
>>The nice thing about such passphrases is that they can often be
>>"assembled" in the input window just as I did above, rather than
>>entered directly in final form.
>
> ....
>
>
> A few things I forgot to add:
>
> "Assembling" a passphrase in an password input window can be severely
> hampered if the window is blanked with asterisks. Here's a trick: assemble
> the passphrase in the *user name* window and then cut and paste it to the
> password window (afterwards, go back and fill in the user name).
>
> For the theoretically inclined, the Shannon entropy of ordinary English
> sentences is about 1.2 to 1.4 bits per character. This gives an alternate
> method of calculating passphrase entropy.
>
> Regards,
>
>
>
While I agree with passphrase concept, I prefer tokens (smartcards).

Some systems have limits as to usable PW length. Additionally since the
system should lock after a short period of inactivity to prevent someone
from entering system if a user leaves their terminal, it can be painful
re-entering long passphrases. This does cause complaint. Storing very
long and complex passwords on smartcards with unique passwords stored on
the smartcard for each required system locks out possibility of
dictionary attacks. This is further enhanced if your company servers
lock password with 2 missed attempts (password "should" always be good
but sometimes gurgles occur). This assists in log review if you see bad
password attempts on accounts, as you shouldn't see many on any system.

Meanwhile the user typically has to remember one short pin on their
smartcard to access many systems. Of course the smart card locks with 3
missed pin attempts and inevitably users do lock their cards, but this
is relatively seldom. A 128k card holds an amazing number of
credentials, more than enough for most mortals.

Winged

Winged

Winged <> wrote in
news:2b86e$438e497c$45493f2f$:

> nemo_outis wrote:
>> "nemo_outis" <> wrote in
>> news:Xns971E87AD52377abcxyzcom@127.0.0.1:
>>
>> ....
>>
>>>The nice thing about such passphrases is that they can often be
>>>"assembled" in the input window just as I did above, rather than
>>>entered directly in final form.
>>
>> ....
>>
>>
>> A few things I forgot to add:
>>
>> "Assembling" a passphrase in an password input window can be severely
>> hampered if the window is blanked with asterisks. Here's a trick:
>> assemble the passphrase in the *user name* window and then cut and
>> paste it to the password window (afterwards, go back and fill in the
>> user name).
>>
>> For the theoretically inclined, the Shannon entropy of ordinary
>> English sentences is about 1.2 to 1.4 bits per character. This gives
>> an alternate method of calculating passphrase entropy.
>>
>> Regards,
>>
>>
>>
> While I agree with passphrase concept, I prefer tokens (smartcards).
>
> Some systems have limits as to usable PW length. Additionally since
> the system should lock after a short period of inactivity to prevent
> someone from entering system if a user leaves their terminal, it can
> be painful re-entering long passphrases. This does cause complaint.
> Storing very long and complex passwords on smartcards with unique
> passwords stored on the smartcard for each required system locks out
> possibility of dictionary attacks. This is further enhanced if your
> company servers lock password with 2 missed attempts (password
> "should" always be good but sometimes gurgles occur). This assists in
> log review if you see bad password attempts on accounts, as you
> shouldn't see many on any system.
>
> Meanwhile the user typically has to remember one short pin on their
> smartcard to access many systems. Of course the smart card locks with
> 3 missed pin attempts and inevitably users do lock their cards, but
> this is relatively seldom. A 128k card holds an amazing number of
> credentials, more than enough for most mortals.
>
> Winged



You raise some very valid points. I suppose (depending on particular
circumstances) security should be provided by a judicious blend of what
you know (passwords or passphrases), what you possess (smartcards or
equivalents), and who you are (biometrics).

Regards,


>

nemo_outis

Winged <> wrote in
news:2b86e$438e497c$45493f2f$:

> nemo_outis wrote:
>> "nemo_outis" <> wrote in
>> news:Xns971E87AD52377abcxyzcom@127.0.0.1:
>>
>> ....
>>
>>>The nice thing about such passphrases is that they can often be
>>>"assembled" in the input window just as I did above, rather than
>>>entered directly in final form.
>>
>> ....
>>
>>
>> A few things I forgot to add:
>>
>> "Assembling" a passphrase in an password input window can be severely
>> hampered if the window is blanked with asterisks. Here's a trick:
>> assemble the passphrase in the *user name* window and then cut and
>> paste it to the password window (afterwards, go back and fill in the
>> user name).
>>
>> For the theoretically inclined, the Shannon entropy of ordinary
>> English sentences is about 1.2 to 1.4 bits per character. This gives
>> an alternate method of calculating passphrase entropy.
>>
>> Regards,
>>
>>
>>
> While I agree with passphrase concept, I prefer tokens (smartcards).
>
> Some systems have limits as to usable PW length. Additionally since
> the system should lock after a short period of inactivity to prevent
> someone from entering system if a user leaves their terminal, it can
> be painful re-entering long passphrases. This does cause complaint.
> Storing very long and complex passwords on smartcards with unique
> passwords stored on the smartcard for each required system locks out
> possibility of dictionary attacks. This is further enhanced if your
> company servers lock password with 2 missed attempts (password
> "should" always be good but sometimes gurgles occur). This assists in
> log review if you see bad password attempts on accounts, as you
> shouldn't see many on any system.
>
> Meanwhile the user typically has to remember one short pin on their
> smartcard to access many systems. Of course the smart card locks with
> 3 missed pin attempts and inevitably users do lock their cards, but
> this is relatively seldom. A 128k card holds an amazing number of
> credentials, more than enough for most mortals.
>
> Winged



You raise some very valid points. I suppose (depending on particular
circumstances) security should be provided by a judicious blend of what
you know (passwords or passphrases), what you possess (smartcards or
equivalents), and who you are (biometrics).

Regards,


>

nemo_outis