in reply to Re: Please Review First Program: Random Password Generator
in thread Please Review First Program: Random Password Generator

I'd force the inclusion of a certain amount from each set.

This will decrease the number of possible password combinations, and actually make password weaker. What password is stronger? The one which includes 8 characters from the [A-Z0-9] set, or one which includes 6 characters from the [A-Z] and 2 from [0-9]?

Replies are listed 'Best First'.
Re^3: Please Review First Program: Random Password Generator
by ikegami (Patriarch) on Feb 05, 2011 at 05:02 UTC

    This will decrease the number of possible password combinations,

    Yes.

    and actually make password weaker

    No.

    In general, the second does not necessarily follow from the first. Blacklisting password "password" decreases the number of possible combinations, for example.

    In this particular case, it also makes the password stronger since the hashes of all alphabetic passwords of length 14 or less are known. (I don't remember for which hashing algorithm.)

    What password is stronger? The one which includes 8 characters from the [A-Z0-9] set, or one which includes 6 characters from the [A-Z] and 2 from [0-9]?

    The one that includes 1 from [A-Z], 1 from [0-9] and 6 from [A-Z0-9].

[reply]
      since the hashes of all alphabetic passwords of length 14 or less are known. (I don't remember for which hashing algorithm.)

      Are you seriously suggesting that the blackhats can call on a database/lookup table of 26^14 * 14+16 = 1.5 Zetabytes of storage for cracking passwords?

      For reference, the best figure I can find for Google's storage total is 220 TB, which means that these blackhats would need 7 million times the infrastructure as Google to store this table. Even if 10:1 compression was possible, that's still 700.000 Googles hiding away on the internet somewhere.

      Even if they compressed the data and held it on tape, they'd still need 1000+ of these all fully populated to hold it. And each of those 1000 systems would cost 7 digits to buy.

      Yes, I've heard of rainbow tables, but they don't address the fundamental problem much.

      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
      In general, the second does not necessarily follow from the first. Blacklisting password "password" decreases the number of possible combinations, for example.

      Using digits not necessarily mean that generated p@ssw0rd wi11 be more resistant against dictionary attacks. In fact 0, 1, 4, 5, 7 may be used as replacements for often used characters, so I won't be surprised if probability that random password matches some dictionary word higher for alphanumeric passwords than for just alphabetic.

[reply]
      hashes of all alphabetic passwords of length 14 or less are known. (I don't remember for which hashing algorithm.)

      I suspect you talking about Ophcrack tables for LM hash. First, they are not alphabetic, they include also digits and other characters. Second, 14 character LMhash is practically consist of two 7 character passwords

[reply]

In Section Seekers of Perl Wisdom