On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski <przemek.klosowski@xxxxxxxx> wrote: > Length beats out larger character set, which is nicely illustrated by > the XKCD cartoon > > http://imgs.xkcd.com/comics/password_strength.png Be careful, that xkcd strip glosses over how that phrase was actually generated. If you just pick words or sentences out of your head, you could actually have dangerously little actual entropy in your passphrase. Do NOT actually use spaces in your passphrase, the space bar typically makes a distinctive sound so an eavesdropper can potentially figure out how many words are in your passphrase, and the length of each word, narrowing their search window... He's assigning 11 bits of entropy to each word, 2^11 = a word list 2048 words long, which corresponds with S/KEY: http://en.wikipedia.org/wiki/S/KEY There's also: http://en.wikipedia.org/wiki/Diceware http://en.wikipedia.org/wiki/Bubble_Babble http://en.wikipedia.org/wiki/Biometric_word_list Cryptographic security is all in the details, doing it even slightly wrong can completely destroy your security. Make sure to follow a proven strategy if you're going the passphrase route. Personally I've been generating passwords with "pwgen -s 12 1", or for really important stuff (like online banking), "pwgen -s 12 1". A different password for absolutely everything, all passwords are stored in a Revelation database protected by a REALLY long passphrase. I find its not that hard to remember a completely obscure 12-char password, after a day or two of frequent use, if you force yourself to actually type it in by hand rather than just cut-and-pasting from Revelation. Try just memorizing 2-4 chars at a time until you remember it all. I find I end up just consciously remembering the first 4 chars and muscle memory completes the rest... Also see: http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458 -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
