> > >I hope it is. People are _really_ bad at picking random things - try > > >an experiment - ask a group of people to pick a random number. You'll be > > >surprised... > > > > it is not, for example, i just generated that *using my brain*: > > "s4k1f62rni7q" > > tell me why it isnt random!!! > > Your string has 12 characters, perhaps from a set of about 32 > (lowercase + digits) or 64 (both cases + digits) choices, so there > could be 5 or 6 bits of randomness per character, 60 to 72 bits > overall. > > Experiments have actually been run on this. Ask a bunch of people to > generate random strings, then do statistical analysis of the strings. > The analysis shows them falling far short of full randomness. > > Suppose you use such strings as passwords and I don my Black Hat and > try to crack them. If you're using a high-quality random source, I > have more work to do, on average, than if you used humans and I use > statistical info on human biases to guide my search. > > I'm not sure how large this effect is, but it is there. i dont think that this effect can be large, there are too many things which influence the way you choose random characters and i use a very long time for choosing them (like 10 minutes for 30 bytes) which should prevent me from using my biases =/ all this mess with crypto is making me go nuts, first internal crypto patch doesnt work so i have to use loop AES, then it says "at least 20 bytes passwords" but i dont know in what format they should be and how i should create them i still invite anyone to tell me if a 30 byte a-z and 0-9 password created using my brain as a random character generator is enough for AES128 or what i should use for creating the damn thing and how long it has to be Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
