[security flaw] Ubuntu is a plain text offender

[Jordon Bedwell]

On 5/23/2011 11:58 AM, Kent Borg wrote:
> Steve Flynn wrote:
>> Acorss 54 sites, my average password length is 20.1 bytes (I try to
>> generate 32 byte passwords by default but some sites restrict me down
>> to say 12).
> 
> Be warned that sometimes passwords are silently truncated to just a few 
> bytes, accepting long passwords, but ignoring all the good entropy.
> 
> Also, I count my passwords in bits of entropy, not bytes of ASCII. That 
> is, I don't generate passwords by thinking up something that *seems* 
> random and measure the output, rather I use a real random source to 
> chose the content and measure the input. For example, if you had a list 
> of 64-words, you could use 6-coin tosses to select on word from the 
> list. (2^6=64), so one word so chosen has 6-bits of entropy. If you use 
> a longer word list and repeat, it is possible to come up with a easy to 
> remember passphrase that is pretty good.
> 
> For example: "beauty-alias-citizen" or "budget-sunset-radio" each have 
> 32-bits of entropy. (I have a program that does that.)

Actually, 'beauty-alias-citizen' has between 86 and 94 (rounded) bits of
entropy depending on your math and method of calculation. And it's a
very weak password. Aside from having under 100 random bits of entropy,
entropy alone cannot decide password strength.

A.) PIN Passwords [0-9] each letter has 3.3219 bits
B.) Simple Hex Passwords [a-z, 0-9] each letter has 4 bits

It goes up from there

1.) Your password is vulnerable to dictionary attacks.
2.) Your password is vulnerable to common brute force attacks.
3.) Your password contains a single repeated ASCII symbol.

A.) Pass should contain multiple symbols.
B.) Pass should contain letters and numbers, upper and lower.
C.) Pass should have at least 2 characters that repeat (non-sequential)

The list goes on but it's not my job to lecture you on how bad that pass
is, it's just my job to correct the bad math and then give tips.