On 25 February 2015 at 06:47, Tomas Mraz <tmraz@redhat.com> wrote:

On St, 2015-02-25 at 14:32 +0100, Hubert Kario wrote:

> If nobody else is looking at your screen, you can use one of the following
> random passwords:
> red mist
> second wanted degree
> however ready respect using

I do not think that two random words password from not too big
dictionary would be sufficiently strong. You have to understand that the
attacker will know which dictionary was used to generate it. And a big
dictionary means that the words will be so obscure that people will not
be able to memorize them much more easily than randomized single word.

Could we drop back from the weeds and go back to a core part. How many bits of entropy are we wanting to encourage towards passwords? Hubert is saying 20 bits, you have another but not expressed. Are we looking for 40 to be minimal? 90? 400?

(switch "entropy" with "score" if we want to be user-friendly and not scare
> users with technicalities)

I am not too confident with the password entropy scoring as presented by
the NIST standard.

The NIST standard is meant for passwords which are limited in length and was designed to be used from the days when passwords were limited to 7 or 8 characters. So trying to apply its scoring in unlimited length passwords is definitely suspect.

However unless we can agree to some sort of measurement system then every thing we 'impose' is going to be no better than throwing salt over our shoulder and turning 3 times windershin.

Stephen J Smoogen.