|
03-10-2021, 03:01 PM | #16 | |
'Tis my eye!
Join Date: Aug 2000
Location: Chiefsplanet
|
Quote:
Here's another interesting read, BTW. He explains somewhat how "high entropy" is an outdated way of thinking. His "haystacks" suggestion is pretty interesting. https://www.grc.com/haystack.htm |
|
Posts: 100,078
|
03-10-2021, 07:43 PM | #17 | ||
MVP
Join Date: Aug 2003
|
Quote:
Please don't take this the wrong way, totally not trying to sound like an ass but I have a hard time explaining things sometimes and often end up sounding like a jerk. I've never really been a fan of GRC (didn't know he was still around actually). I appreciate his attempt in this article, but I very heavily disagree with his assertions. Especially his D0g........... example. In fact, knowing that some people will probably hit the easy button and use something like that after reading his article, I'm going to add attacks specifically for it on my next engagement. Will be a couple months before I have spare cycles to test, but will try and get some performance numbers in a month or so. Length is not the ONLY factor, and this comment... Quote:
Cutting my dictionaries (and like every CP'er, they're HUGE! ) to words of 8 characters or less, running common "leetspeak" rules and appending a bunch of random special characters is not hard. Patterns are the death of a password. While yes, the D0g... password is longer than the PrXyc. This is insignificant if you know the pattern. And to be clear, I don't need to know what pattern you use. I will test all patterns I know. Padding for length is FANTASTIC, don't get me wrong, but padding with such bad patterns will kill you. Patterns publicly espoused will kill you faster. Entropy DOES matter, because "guessing" (ugh) is NEVER the only attack. His recommendation is faulty in that it is intended to protect against an outdated method. Brute-force attacks are mostly dead except in specific use cases, and only after pattern based attempts are made. His argument is circular (because entropy - entropy doesn't matter) and misleading. Sorry to rant. |
||
Posts: 10,620
|
1 0 |
Thread Tools | |
Display Modes | |
|
|