[Cryptography] Brute-force password crackers?

[Jerry Leichter]

> OK, we have databases of >10^6 passwords, so we can easily compute distributions for graphs, digraphs, trigraphs, etc.
>  
> So a 'random' password is potentially guessed more quickly than a 'non-random' password which utilizes these distributions for pessimizing guessability.
>  
> In particular, shouldn't password generators make sure that passwords utilize less-frequently used characters -- e.g.,the 'long tail' ?  It should certainly reject the very rare cases of all digits, etc.
>  
> While these passwords may not be easy to type -- e.g., Unicode -- this may not make much difference with keepass-type programs.
>  
> Nicht wahr?
It really depends on what you're trying to do.  If you need a human to be able to remember and type the password, those "long tail" passwords will be really tough.

Once you assume the password will be saved by a program, not remembered by a human being, all this sort of stuff becomes irrelevant.  I mentioned in a previous note that the Mac Keychain program will let you generate passwords.  Safari will also suggest passwords for you, which will be saved to the Keychain and filled automatically.  These are something like 25 random letters and digits.  (I never bothered to count.)
                                                        -- Jerry