On 10/13/2011 09:45 AM, Callum Lerwick wrote: > On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski > <przemek.klosowski@xxxxxxxx> wrote: >> Length beats out larger character set, which is nicely illustrated by >> the XKCD cartoon >> >> http://imgs.xkcd.com/comics/password_strength.png > > Be careful, that xkcd strip glosses over how that phrase was actually > generated. If you just pick words or sentences out of your head, you > could actually have dangerously little actual entropy in your > passphrase. Do NOT actually use spaces in your passphrase, the space > bar typically makes a distinctive sound so an eavesdropper can > potentially figure out how many words are in your passphrase, and the > length of each word, narrowing their search window... > - well, to me "correct horse battery staple" seems random enough, but I'd like to ask everyone to not use it, because it's what I use as my password on every machine I have access to... Regards, Jirka > He's assigning 11 bits of entropy to each word, 2^11 = a word list > 2048 words long, which corresponds with S/KEY: > > http://en.wikipedia.org/wiki/S/KEY > > There's also: > > http://en.wikipedia.org/wiki/Diceware > http://en.wikipedia.org/wiki/Bubble_Babble > http://en.wikipedia.org/wiki/Biometric_word_list > > Cryptographic security is all in the details, doing it even slightly > wrong can completely destroy your security. Make sure to follow a > proven strategy if you're going the passphrase route. > > Personally I've been generating passwords with "pwgen -s 12 1", or for > really important stuff (like online banking), "pwgen -s 12 1". A > different password for absolutely everything, all passwords are stored > in a Revelation database protected by a REALLY long passphrase. I find > its not that hard to remember a completely obscure 12-char password, > after a day or two of frequent use, if you force yourself to actually > type it in by hand rather than just cut-and-pasting from Revelation. > Try just memorizing 2-4 chars at a time until you remember it all. I > find I end up just consciously remembering the first 4 chars and > muscle memory completes the rest... > > Also see: > > http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458 -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
