Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] Something to keep us all paranoid

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] Something to keep us all paranoid

Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] Something to keep us all paranoid
  • Date: Wed, 19 Jun 2013 21:03:49 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Good articles.  This excerpt from the first relates well to our recent discussions on entropy.  The qead… password is what they call a keyboard walk (like Qwerty).  Try typing it one character at a time to see.  That plus 4 digits on the end and bingo… cracked.


Where a classic brute-force tries "aaa," "aab," "aac," and so on, a Markov attack makes highly educated guesses. It analyzes plains to determine where certain types of characters are likely to appear in a password. A Markov attack with a length of seven and a threshold of 65 tries all possible seven-character passwords with the 65 most likely characters for each position. It drops the keyspace of a classic brute-force from 957 to 657, a benefit that saves an attacker about four hours. And since passwords show surprising uniformity when it comes to the types of characters used in each position—in general, capital letters come at the beginning, lower-case letters come in the middle, and symbols and numbers come at the end—Markov attacks are able crack almost as many passwords as a straight brute-force.


From: [mailto:] On Behalf Of David Walker
Sent: Wednesday, June 19, 2013 2:06 PM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Something to keep us all paranoid


Here are a couple of articles to keep us all scared about passwords.  Probably no direct impact on our work, although the fact that passwords like qeadzcwrsfxv1331 can be cracked when weak encryption is employed might have bearing on our decision of whether entropy is a mitigation for weak encryption.


Archive powered by MHonArc 2.6.16.

Top of Page