<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 25 February 2015 at 06:47, Tomas Mraz <span dir="ltr"><<a href="mailto:tmraz@redhat.com" target="_blank">tmraz@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On St, 2015-02-25 at 14:32 +0100, Hubert Kario wrote:<br><br>
> If nobody else is looking at your screen, you can use one of the following<br>
> random passwords:<br>
> red mist<br>
> second wanted degree<br>
> however ready respect using<br>
</div></div>I do not think that two random words password from not too big<br>
dictionary would be sufficiently strong. You have to understand that the<br>
attacker will know which dictionary was used to generate it. And a big<br>
dictionary means that the words will be so obscure that people will not<br>
be able to memorize them much more easily than randomized single word.<br>
<span class=""><br></span></blockquote><div><br></div><div>Could we drop back from the weeds and go back to a core part. How many bits of entropy are we wanting to encourage towards passwords? Hubert is saying 20 bits, you have another but not expressed. Are we looking for 40 to be minimal? 90? 400?</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">(switch "entropy" with "score" if we want to be user-friendly and not scare<br>
> users with technicalities)<br>
<br>
</span>I am not too confident with the password entropy scoring as presented by<br>
the NIST standard.<br><span class="im HOEnZb"><br></span></blockquote><div><br></div><div>The NIST standard is meant for passwords which are limited in length and was designed to be used from the days when passwords were limited to 7 or 8 characters. So trying to apply its scoring in unlimited length passwords is definitely suspect. </div><div><br></div><div>However unless we can agree to some sort of measurement system then every thing we 'impose' is going to be no better than throwing salt over our shoulder and turning 3 times windershin. </div><div><br></div></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Stephen J Smoogen.<br><br></div></div>
</div></div>