This has been a very good thread. I have one additional suggestion which is to add something you personally know, but that could not be guessed very easily, nor exposed by a dictionary attack. I find alternative, non standard phonetic spellings helpful this way. Even better are obscure, obsolete spellings of place names, people, objects, or concepts, particularly if the source language isn't English. On its own this strategy is insufficient, of course. But two or three such terms, plus the hashing described below, builds up a good password, imo. Of course, it's also important to employ available technology to thwart scripted attacks, e.g. with applications like denyhosts or fail2ban. Also, if you don't need to be open to access from the general public, move to IPv6 and shutdwon as much IPv4 access as possible. Anyone who has external access to any of my machines understands they need to come in via IPv6, because I'm not listening for connections on IPv4. Obviously, that doesn't work for mail or web traffic, but it's really helpful for sshd. PS: If we've not mentioned it, the pwgen command has many useful options. Janina Tim Chase writes: > I've used a technique that's come to be known as "password > haystacks" (see link below) which involves simply padding your > good (or even written shoulder-surfable) password out to a reasonable > length to make the brute-force cracking all the more complex. > > So say my password is "correct horse battery staple". I might take > that and then add 8 periods at the end. Or 10 ampersands. Or > alternate dash-equals-dash-equals as many times as you want. Or > whatever secret character or characters you want and however many of > them you want. It's also particularly handy if you have to change > your password on a regular basis (I usually just change the haystack > characters). > > Alternatively, if you use a GUI and "keepassx" is accessible in your > screen-reader, it allows you to generate strong passwords, keep them > safe behind one master password, keep them hidden from > shoulder-surfing eyes, and will auto-type them into the last window > you were in. This is the solution I use for most passwords (except > my master passwords, for which I use the haystack method). > > -tim > > https://www.grc.com/haystack.htm > > > > > > _______________________________________________ > Blinux-list mailing list > Blinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/blinux-list -- Janina Sajka, Phone: +1.443.300.2200 sip:janina@xxxxxxxxxxxxxxxxxxxx Email: janina@xxxxxxxxxxx Linux Foundation Fellow Executive Chair, Accessibility Workgroup: http://a11y.org The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI) Chair, Accessible Platform Architectures http://www.w3.org/wai/apa _______________________________________________ Blinux-list mailing list Blinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/blinux-list