Matir |
12-04-2010 02:47 PM |
As win32sux says, the article was about brute forcing.
If you want to look at the "randomness" (called entropy) of a given password, look at Shannon Entropy and the NIST 800-63 guidelines. For a user chosen password, the first character gives you 4 bits, characters 2-8 buy 2 bits each, 9-20 are 1.5 bpc (bits per character) and 21+ are only worth a single bit each. (These values assume the system doesn't enforce dictionary checking or composition rules.) A random ASCII password, by the way, is about 6.5-6.6 bpc. As you can see, humans choose poor passwords, myself included. I just like to make the password secure enough that people who aren't targeting me specifically will give up. (Excluding system passwords, root passwords, banking applications, etc.) But my password to, say, New York Times online, is, in comparison, pitifully weak.
|