From: Christian Wettergren <cwe@it.kth.se>
Date: Tue, 16 Jul 1996 20:53:24 +0800
To: David Sternlight <david@sternlight.com>
Subject: Re: Word lists for passphrases
In-Reply-To: <v03007605ae102f6372e6@[192.187.162.15]>
Message-ID: <199607160727.JAA27015@piraya.electrum.kth.se>
MIME-Version: 1.0
Content-Type: text/plain



| It is pretty easy to defend against dictionary attacks by using an expanded
| character set--mixed caps and lower case; numbers substituted for some
| letters according to easily-remembered personal rules.
| 
| "Da5id" in "Snow Crash" by Neal Stephenson is an obvious example, since the
| "v" is a roman numeral 5. Another is the "Compuserve method" of inserting
| punctuation characters between words making up a password or key. Since the
| length of the words used is unknown to the cracker, this makes his job
| harder.

You should on the other hand be able to use the username as an indicator
of what kind of password it is;
user "warez" / pass "warez" (but better check the home directory for MS Word)
user "l0pht" / pass "'l33t"
user "feh" / pass "uk4n+r3dt13" (look for zines)

Actually, these kids believe the language they use are hiding them, but I
bet that the letter digrams they present is a immediate marker of "H4k3rz".
It's definitively better than searching for normal "elite, hacker, phracker,
exploit". I just used "l33t" (52), "d00d" (742), "h4qu3r" (5), "sux" (4053)
on AltaVista, to name a few.

-cwe