From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sun, 21 Apr 1996 11:48:05 +0800
To: Paul_Koning/US/3Com%3COM@smtp1.isd.3com.com
Subject: Re: Spaces in passwords
Message-ID: <199604210129.SAA14344@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


At 12:32 PM 4/19/96 EDT, Paul_Koning/US/3Com%3COM@smtp1.isd.3com.com wrote:
>>>Of course not. In a normal Unix password, adding spaces to the
>>>password search space increases the search space, so it necessarily
>>>makes the search harder.

>>Depends on the space of ideas that are leading to your passwords.
>>If the reason you're adding spaces is to separate an n-character word
>>from the dictionary from a 7-n character word from the dictionary,
>>this reduces the search space for a cracker considerably.
>>At least pick random punctuation instead.
>
>Huh?  I don't follow your reasoning.
>If you use two random words, the search space for a dictionary attack
>with an N word dictionary is N^2.  That's true whether you include a space
>or leave it out.  

The context is Unix passwords, which are limited to 8 characters,
not arbitrary-length passphrases like PGP uses.  The size of the
dictionary of words you can use to put two of into 8 characters
is fairly small; the natural choice for two words with a space is
a 4-letter word and a 3-letter word, both chosen from English dictionaries,
though 5/2 and 6/1 are also possible.  It's _way_ searchable,
even if you're not attracted to popular phrases like "Exon You" or "Oh Exon!".

If you're length-constrained, the choice of one word limits the maximum
length of the other.  If you take away another character for punctuation
or space, it reduces it even more.  If I were writing this on a Unix box,
I'd check the number of words in the appropriate length categories, but it's
pretty low, and there's probably a lot less entropy in 3-character words than 4.
#					Thanks;  Bill
# Bill Stewart, stewarts@ix.netcom.com, +1-415-442-2215