[clug] [OT] all text passwords == secure?
Sam Couter
sam at couter.id.au
Mon Aug 27 05:41:36 MDT 2012
steve jenkin <sjenkin at canb.auug.org.au> wrote:
> The idea of picking something memorable and transforming it into a
> humanly processable form is good.
> But concatenating full words is NOT one of the ways...
That's an overgeneralisation to the point that it's incorrect.
Here's a method that uses a true hardware random number generator to
generate a passphrase from concatenating (mostly real) words:
http://world.std.com/~reinhold/diceware.html
Assuming the attacker knows (or guesses) you're using the diceware word
list:
Five words is better than an 8-character ASCII password, so that's an
improvement over the vast majority already.
Six words is roughly the same strength as a 12-character ASCII password
and much easier to remember.
If the attacker doesn't know or try the diceware list (dangerous
assumption to rely on), the passwords will take even longer to crack.
I think I agree with the statement "relying on passwords alone may no
longer be a good security measure" at:
http://cyberarms.wordpress.com/2010/10/21/cracking-14-character-complex-passwords-in-5-seconds/
Ignore the next retarded statement on that page about facial recognition.
--
Sam Couter | mailto:sam at couter.id.au
OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/linux/attachments/20120827/abd21fe0/attachment.pgp>
More information about the linux
mailing list