Is this secure?

Steven D'Aprano steven at REMOVE.THIS.cybersource.com.au
Wed Feb 24 08:11:01 CET 2010


On Tue, 23 Feb 2010 18:39:53 -0800, Paul Rubin wrote:

> Steven D'Aprano <steven at REMOVE.THIS.cybersource.com.au> writes:
>> Paul, if you were anyone else, I'd be sneering uncontrollably about
>> now, but you're not clueless about cryptography, so what have I missed?
>> Why is reducing the number of distinct letters by more than 50%
>> anything but a disaster? This makes the task of brute-forcing the
>> password exponentially easier.
> 
> Reducing the number of distinct letters by 50% decreases the entropy per
> character by 1 bit.  

You say that as if 1 bit of entropy isn't much :)

Given a random six character password taken out of an alphabet of 52 
characters, it takes over nine billion attempts to brute force it. 
Reducing the alphabet by 50% cuts that down to less than 200 million. To 
make up for that loss of 1 bit of entropy, you need two extra characters 
in your password.


> That stuff about mixing letters and digits and
> funny symbols just makes the password a worse nuisance to remember and
> type, for a small gain in entropy that you can compute and make up for.

Well, everybody has their own ways of remembering passwords, and I'd much 
prefer to remember an eight character password with "funny symbols" that 
I chose myself, than a six character password with nothing but letters 
that was chosen for me.

Of course, I flatter myself that I know how to choose good passwords, and 
I hate remembering long random strings even from a reduced alphabet (e.g. 
I hate memorizing eight digit phone numbers, and am completely incapable 
of remembering ten digit mobile phone numbers).



-- 
Steven



More information about the Python-list mailing list