netbsd-help: Re: why not use "an all-lower case password"

Subject: Re: why not use "an all-lower case password"
To: Henry Nelson <henry@irm.nara.kindai.ac.jp>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-help
Date: 04/02/2001 18:20:00

On Tue, 3 Apr 2001, Henry Nelson wrote:

> For the first time I thought I'd use a password that was all lower
> case letters, but I got a warning I shouldn't do that.  Does that
> mean a user could look at some file and tell by the encryption sequence
> that the password was composed of letters only?  Why should all-

I don't think you can look at the hash and know that.

> lower case be any less secure than a mixture of upper and lower, with
> or without digits?

Some can attempt to break your passwords by trying a series of possible
patterns like: "aaaaaaaa" ... "aaaaaaab" ... "zzzzzzzz". (Usually DES
implementations only recognize or use the first eight characters.) I think
this is 26^8. (There will be more than that becuase you have to consider
all the passwords from length one to seven also.) I wrote a perl script
with that is trying possible patterns (a-z) -- it is taking a while... 

This would take a long time, but a lot less than if you had used more
characters.

>  The message also suggests the use of "control
> characters."  Does that mean I could use ^C or ^Z?  What's the deal?

You can try CTRL-C and CTRL-Z, but depending on the application, they
probably won't work. With passwd(1), CTRL-C breaks (exits) after you press
Enter; CTRL-Z suspends after you press Enter.

   Jeremy C. Reed
   http://www.reedmedia.net/