[4188] in cryptography@c2.net mail archive
The simplest good password rule
daemon@ATHENA.MIT.EDU (Markus Kuhn)
Wed Feb 10 19:02:11 1999
To: cryptography@c2.net
Date: Wed, 10 Feb 1999 23:09:04 +0000
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
I have always told new users the following guideline for selecting a
password, and I still believe that this rule is better than any I have
seen elsewhere so far. I call it the "collision bet guideline".
Select your password such that you can comfortably bet your life on
that nobody in the history of computing has ever or will ever come up
with the same one.
Since human brains all work rather similar, the best attack dictionary
is the list of all passwords that have ever been invented by people with
a similar cultural background as the target. For those passwords where
personal data was used to generate it (names, dates, etc.), the
algorithm to generate the password is entered into the dictionary in
addition.
After archiving other people's remote logins for over twenty years, the
SIGINT folks (and more recently also some larger ISPs) should have
excellent statistics for doing efficient password guessing attacks.
Markus
--
Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>
