[conspire] Password permutations (was: Correction)

[Rick Moen]

Quoting Texx (texxgadget at gmail.com):

> The Lieber Office tools are nice, but you have to know what to do before
> you use them.

Mein Lieber!



> Rick grew up in a place with top notch schools....

Peak School in Hong Kong Royal Crown Colony was a top-notch school?
Then, why did they have us reading Charles Kingley's _The Water Babies,
A Fairy Tale for a Land Baby_?  Even decades later, I think I still need
brain-bleach.

Boy, they really needed to get the memo that the reign of Queen Victoria 
ended 65 years ago, and that Victorian children's literature sucked 
even by the standards of 1863.



> Im pretty sure I have the followinbg wrong:
> Given a 8digit passwd, the number of combinations are 8 to the power of
> however many possibilities each digit can contain.

Other way.  If, say, the character choices per position are 25
lower-case characters, 26 upper-case characters, and ten digits
(I stress that this is an artificial example), then the number of
distinct password permutations for an 8-character password are
(26 + 26 + 10)^8 = 218,340,105,584,896.

This ignores exclusion of forbidden passwords, which typically is part
of the vetting algorithm.


The above sort of mindless approach, however, encourages the use of
line-noise-resembling passwords, e.g., pseudo-randomly generated ones.
Techies such as Michael P. often gravitate towards those, blithely 
ignoring the obvious disadvantage that they are pretty much impossible
to memorise and nearly impossible to type accurately.

They tend to excuse themselves from that obliviousness on grounds that
they have no intention of memorising strong passwords and almost never
intend to type them, the latter because they intend to use 'password
manager' software and/or copy/paste the passwords from somewhere rather
than type them.  That in turn implicitly OKs risks implicit in those
mechanisms -- which personally I find a poor tradeoff.


I would suggest that -- at least according to my own criteria and usage
model, so adjust to suit -- a more-reasonable strategy is a modified
version of the famous/infamous XKCD 'password strength' algorithm.
Partial discussion is here:  
https://security.stackexchange.com/questions/62832/is-the-oft-cited-xkcd-scheme-no-longer-good-advice

To get past the otherwise-inevitable wasted-time discussion, Schneier 
said that the _literal_ use of the XKCD method (merely stringing
together dictionary words) was obsolete.  But that doesn't mean that the 
general approach if modified to foil dictionary attack doesn't have 
merit.

(I'm not going to state exactly how I arrive at passwords, for the
self-evident reason that I don't want the world to know exactly how I
arrive at passwords.)

-- 
Cheers,                            "Rand Paul being patient zero for a Senate 
Rick Moen                          viral outbreak is a sign of a writers' room 
rick at linuxmafia.com                dropping too much acid, late in the season."
McQ! (4x80)                                        -- @owillis (Oliver Willis)