Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 18:52:44 +0200
From: Patrick Proniewski <>
Subject: Re: Section 3.4 of "A Canonical Password Strength Measure"

On 08 avr. 2016, at 00:10, wrote:

> This section has created most of the buzz.
> It is not the main point of the article, it is merely an example application. the following sense:
> you had a feeling that a really long password (such a valid English sentence) would do the job -- i understand this sentiment, but without a clearly defined password strength measure we can not argue about it at all -- with the proposed measure you can actually claim that the strength of a passphrase is guaranteed to be higher than the mainstream "strong" passwords recommended by popular creation policies.
> or you can show me that this statement is wrong.

I do agree with you that "J'aime marcher nu dans la forĂȘt !" is a better password than "p4ssw0rd1984", but I think it's not a good advice today to tell users to use proper spelling, and proper grammar when they choose a passphrase.
Correct English (or French, or other) looks like a restrictive password policy to me: it adds some/many predictability to the result. I don't know much about Shannon's Entropy, and not much either in math/stats, but it's quite clear that the structure of correct language makes entropy plummet.
In fact, I'm pretty confident password attackers will create, in a near future, efficient attacks against common english passphrase (maybe some statistically enhanced PRINCE attack, as starting point).

Nevertheless, pass phrases are good and way better than passwords.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.