[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: why compression doesn't perfectly even out entropy



-----BEGIN PGP SIGNED MESSAGE-----

An entity claiming to be rick hoselton wrote:
: 
: Another example: What if I selected a nonsense passphrase, 
: "Dagmar shaved Howard's cocker spaniel"  Not great, but adequate for my needs.
: If, by some wild coindence, a book by that title became a best seller, I would 
: change my passphrase.  A cryptanalyst who knew that was my feeling could
: simplify 
: his cracking by not bothering to search for best selling book titles.  On
: the other 
: hand, a cryptanalyst who was not so convinced of my paranoia, and who DID check 
: book titles, would not find my passphrase.  I assume that BOTH philosophies 
: would be used in a serious attack.  When I do the math, it says that, assuming 
: BOTH types of attack are done, it is better to have a passphrase that is not 
: the title of a book. 

By the same token, if an admin runs crack on /etc/passwd to weed out poor
passwords isn't going to be faulted for reducing the key space for user's
passwords. The question is, how much of the keyspace should be eliminated
as "obviously a poor choice"?

Also, how much of this falls under "security through obscurity"?  If an
attacker knows what you omit .. his/her job is a bit easier.

Is it possible to find a percentage of the key space to eliminate that
will optimize security assuming that the attacker will try the easy
stuff first (and is it possible to quantify "easy stuff")?

- -- 
  Mark Rogaski    | Why read when you can just sit and |      Member
  System Admin    |         stare at things?           | Programmers Local
  GTI GlobalNet   | Any expressed opinions are my own  |     # 0xfffe
[email protected] | unless they can get me in trouble. |     APL-CPIO


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMXVWfQ0HmAyu61cJAQHltwP8Coe0i13a7NtFRYlCBdt1AEVEbz9jQhLp
6WPqGc80ETo8knHZAPVFP6ae1MmHYfbWhOY0y7I/Cv4kN8Smmu6mwIeYsuPRjCl9
ODK6qDUX1CcQX74t4ZvkTL2Umsnvwchvl1wHnaINGtud9C6nVREf34880vmJsYrl
5vsRJ1wo5Ng=
=zY9A
-----END PGP SIGNATURE-----