Life After DES: New Methods, New Attacks - Cryptology Unlocked

Cryptography Reference

In-Depth Information

temporarily via password [Woblock]. I choose a different password every time

myself. Anybody unauthorized who wants to work at my terminal waits three

seconds after the first attempt fails, six seconds after the second attempt, then

12 seconds, then 24 seconds, and so on. Even if that person knew, for example,

that I enter only one lowercase letter, the average brute-force attack against the

26 possibilities would take 3 ∗ 2 14 seconds or 13.5 hours on average — not a

promising outlook, since by that time I'll have caught him. The main draw-

back of the program is that roguish or malicious colleagues could press a

wrong button every now and then during my absence (though I took care that

keystrokes are not recorded). Upon my return, there would be a wait time of

just about 2 13

seconds ...

But let's get back to 'correct' passwords. You should test for the following:

•

The password should not be too short (e.g., six characters minimum).

•

It should contain not only letters, but also special characters.

•

It should not have a simple structure (examples are X.X.X. or aaa,,,).

•

And finally, it should not be a word (test against a big dictionary, or

demand the occurrence of impossible or rare digrams).

Have a look at Figure 3.6: all these variations and many more can be tested

automatically!

On the other hand, if you overstep the mark, you will most likely achieve the

opposite: users will write down their passwords. This is a misery. There are

two simple ways out of it:

1. If your system processes short passwords only (for example, often only

eight characters under UNIX), then memorize a crazy sentence and use

the first letters of its words and the punctuation marks. For example, I use

the superuser password 'ImRbnje!' on all UNIX computers I administer;

that's short for 'In meinen Rechner bricht nie jemand ein!' (Nobody

breaks into my computer!). Well, don't take it literally.

2. I'm crazy about these things called passphrases in PGP, and Schneier

[SchnCr] also uses that name, while GnuPG call them mantras .A

passphrase is a simple sentence, like the one above, or a fraction

of a sentence (a phrase). The program sees a passphrase simply as a

long password. When using passphrases, a dictionary attack appears to

Search WWH ::

Custom Search

Home