How to choose a password optimally

Tuesday, November 6th, 2012 16:56
[personal profile] kpreid

  1. Premise: Any attack on a password — whether online (login attempts) or offline (hash cracking) — will be designed so that the more likely a given password is, out of the space of all possible passwords, the less work is required to recover that password (unless a trivial amount of work is required to discover any possible password).

  2. From (1), there exists a probability distribution of passwords.

  3. Premise: There is a (practical) maximum length for passwords.

  4. From (3), the set of possible passwords is finite.

  5. From (2) and (4), there is a minimum probability in that distribution.

  6. Use one of the passwords which has that minimum probability.

(There are at least two ways this doesn't work.)

Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

(no subject)

Date: 2012-11-07 02:12 (UTC)
From: [identity profile] kpreid.livejournal.com
Yep.

Here's a brute-force way to take that into account, assuming you have a finite list of attacks and all attacks are run simultaneously: Take each attack's list of passwords, each annotated with the effort required to reach it. For each password, take the minimum of the efforts. Choose the password with the greatest minimum effort.

(The 'list of passwords ranked by effort' representation is how I originally thought of the scheme in the post.)

I haven't thought of how to generalize that combination method to handle non-equiprobable attacks.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only