[unisog] [Fwd: Is the current password std flawed?]

Nick Lewis lewisnic at internet2.edu
Fri Feb 25 16:57:15 GMT 2005

There is a good description in NIST SP 800-63 Electronic 
Authentication Guideline in Appendix A: Estimating Password Entropy 
and Strength where is discusses Shannon's work.

It can be found at:


Where it has a table broken down by user chosen and randomly chosen 

See Table A.1 - Estimated Password Guessing Entropy in bits vs. 
Password Length.


----- Original Message ----- 
From: "PaulFM" <paulfm at me.umn.edu>
To: "UNIversity Security Operations Group" <unisog at lists.sans.org>
Sent: Friday, February 25, 2005 9:29 AM
Subject: Re: [unisog] [Fwd: Is the current password std flawed?]

> Requiring differing case characters makes it easier for people to 
> see the password typed over your shoulder (the shift key makes most 
> people pause) so I would not make that requirement.  Perhaps 
> suggesting that people use a made up nonsense phrase with some 
> punctuation and digits thrown in would be a good idea.  Requirements 
> that the password have at least 2 characters from each of any two of 
> the following classes: any alpha, Numbers, Special_characters ( 
> "what-the.", "01topmee" "what0the." and "87)015.1" would be allowed, 
> "00topmee" would not); and a length of 8 should be sufficient to 
> prevent people from using dumb passwords (of course increasing the 
> minimum length wouldn't hurt).
> T. Charles Yun wrote:
>> A while ago, I was doing some work on entropy in text that used a 
>> perl script found online based on Claude Shannon's work.  Shannon 
>> determined a (set of) formulas and processes that allowed for the 
>> analysis of entropy in the english language.
>> If you are interested in a mor thorough mathematical analysis, I 
>> suspect that google can help with terms such as "Shannon entroy 
>> password perl" etc.
>> - Charles
>> Harry Hoffman wrote:
>>> Russell,
>>> We are having a similar discussion regarding the programs that 
>>> auto-generate easily typed passwords and whether or not it would 
>>> be easier to brute force those passwords based upon key locations 
>>> and how most people type.
>>> I'm interested to see what you come up with. Are you planning on 
>>> doing any tests to verify this?
>>> --Harry
>>> Russell Fulton wrote:
>>>> Hmmm.... fro  my manager.  What do you think?
>>>> I'll post my ideas on this tomorrow.
>>>> Russell
>>>> -------- Forwarded Message --------
>>>> From: Stephen Taylor (ITSS) <stay091 at vxchange.vcr.auckland.ac.nz>
>>>> To: Russell Fulton <rful011 at vxchange.vcr.auckland.ac.nz>, Bojan 
>>>> Zdrnja
>>>> <b.zdrnja at auckland.ac.nz>
>>>> Subject: Is the current password std flawed?
>>>> Date: Fri, 25 Feb 2005 13:42:51 +1300
>>>> As part of my discussion with CS re NetAccount v 2 enhancements 
>>>> we
>>>> looked at the UoA Password Std.
>>>> The following comments were made by CS.
>>>> By asking that all passwords must have a numeric and a special 
>>>> character
>>>> we are making it easier for cracking tools because we have 
>>>> effectively
>>>> reduced the "pool" of possible password combinations; e.g. no 
>>>> need to
>>>> check for a password such as "gHsrYBoZ" as this would be rejected 
>>>> as not
>>>> valid.
>>>> Similarly by not allowing all numerics such as "33892536".
>>> ...
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.sans.org
>>> http://www.dshield.org/mailman/listinfo/unisog
> -- 
> ---------------------------------------------------------------------
> The views and opinions expressed above are strictly
> those of the author(s).  The content of this message has
> not been reviewed nor approved by any entity whatsoever.
> ---------------------------------------------------------------------
> Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
> ---------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050225/5aa064cd/smime.bin

More information about the unisog mailing list