Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Jiri Moskovcak
jmoskovc at redhat.com
Thu Oct 13 11:03:47 UTC 2011
On 10/13/2011 09:45 AM, Callum Lerwick wrote:
> On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski
> <przemek.klosowski at nist.gov> wrote:
>> Length beats out larger character set, which is nicely illustrated by
>> the XKCD cartoon
>>
>> http://imgs.xkcd.com/comics/password_strength.png
>
> Be careful, that xkcd strip glosses over how that phrase was actually
> generated. If you just pick words or sentences out of your head, you
> could actually have dangerously little actual entropy in your
> passphrase. Do NOT actually use spaces in your passphrase, the space
> bar typically makes a distinctive sound so an eavesdropper can
> potentially figure out how many words are in your passphrase, and the
> length of each word, narrowing their search window...
>
- well, to me "correct horse battery staple" seems random enough, but
I'd like to ask everyone to not use it, because it's what I use as my
password on every machine I have access to...
Regards,
Jirka
> He's assigning 11 bits of entropy to each word, 2^11 = a word list
> 2048 words long, which corresponds with S/KEY:
>
> http://en.wikipedia.org/wiki/S/KEY
>
> There's also:
>
> http://en.wikipedia.org/wiki/Diceware
> http://en.wikipedia.org/wiki/Bubble_Babble
> http://en.wikipedia.org/wiki/Biometric_word_list
>
> Cryptographic security is all in the details, doing it even slightly
> wrong can completely destroy your security. Make sure to follow a
> proven strategy if you're going the passphrase route.
>
> Personally I've been generating passwords with "pwgen -s 12 1", or for
> really important stuff (like online banking), "pwgen -s 12 1". A
> different password for absolutely everything, all passwords are stored
> in a Revelation database protected by a REALLY long passphrase. I find
> its not that hard to remember a completely obscure 12-char password,
> after a day or two of frequent use, if you force yourself to actually
> type it in by hand rather than just cut-and-pasting from Revelation.
> Try just memorizing 2-4 chars at a time until you remember it all. I
> find I end up just consciously remembering the first 4 chars and
> muscle memory completes the rest...
>
> Also see:
>
> http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458
More information about the devel
mailing list