On Thu, Oct 13, 2011 at 2:45 AM, Callum Lerwick <seg@xxxxxxxxxx> wrote: > Personally I've been generating passwords with "pwgen -s 12 1", or for > really important stuff (like online banking), "pwgen -s 12 1". Erk, that should be "pwgen -s -y 12" for the important stuff. Cut-and-paste fail. :( A fully random 12 char alpha-numeric (with fully random caps) password is about ~71 bits of entropy. A fully random 12 char password using all 94 printable ASCII characters (not including space) is ~78 bits of entropy. Remember, bits multiply exponentially. Each additional bit doubles your search space. If I did my math right, this is exceeding a four word S/KEY passphrase (~44 bits) by about 8-10 orders of magnitude. You need to go to 7 (!) S/KEY words to get to ~77 bits of entropy. See: http://en.wikipedia.org/wiki/Password_strength Also of interest: http://www.schneier.com/blog/archives/2005/06/write_down_your.html As computers become faster, depending purely on human memory for security only becomes more and more impractical. As time goes on, OTP devices are necessary for any real security: http://fedoraproject.org/wiki/Infrastruture/Yubikey http://code.google.com/p/google-authenticator/ http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660 (IIRC, World of Warcraft is the #1 target for cracking, phishing, and fraud in the world today. Its big business! But I can't find any references offhand...) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
