On Wednesday 25 February 2015 22:54:18 Chris Murphy wrote:
On Wed, Feb 25, 2015 at 12:24 PM, Miloslav Trmač
>> If nobody else is looking at your screen, you can use one of the
>> random passwords:
>> red mist
>> second wanted degree
>> however ready respect using
> Now this is an useful idea. We should have this. (The required
> never-ending nowhere-leading discussion about what the recommendations
> should look like notwithstanding.)
OK well at least there's acknowledgement, at least on this list, that
there need to be visible recommendations in the UI rather than the
user given a text fail whale. I don't know if there's consensus on
What about a "pronounceable" password creator, one that explicitly
doesn't use dictionary words?
I have used this method before and didn't find pronounceable gibberish to be
easy to remember, words are much more so.
But I don't have anything against providing few different style passwords to
the user - one with random words, other with random syllables and even one
with completely random characters. But all the presented passwords must pass
the later check and.
Based on the aforementioned 2009
estimated cost to brute force attack passwords, it still looks like
passwords like "however ready respect using" can't possibly be all
that safe against a voluminous attack.
The NIST recommendation are for on-line systems where the password is used
(and as such, is useful) for a limited amount of time and you have complete
control over amount of tries the attacker can perform.
The bruteforce you're talking about is for offline attacks where the attacker
has access to password hashes - useful for guidelines for disk encryption or
private key encryption, not so much for regular login password.
If you want to go to all this
work building such a thing and translating it, why not help the user
create completely non-dictionary passphrases that have some change of
being memorable by virtue of being pronounceable. Plus, the proposal
should be nonsense in any language, which seems less
Diceware already has word lists in many languages, don't see why we couldn't
have different random passwords (from different dictionaries) if the user
selected different installer language.
And what you consider pronounceable really depends on the language you
speak... For example this is completely valid Czech sentence:
Strč prst skrz krk
Yes, it doesn't contain a single vowel :)
Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic