Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Callum Lerwick seg at
Thu Oct 13 07:45:40 UTC 2011

On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski
<przemek.klosowski at> wrote:
> Length beats out larger character set, which is nicely illustrated by
> the XKCD cartoon

Be careful, that xkcd strip glosses over how that phrase was actually
generated. If you just pick words or sentences out of your head, you
could actually have dangerously little actual entropy in your
passphrase. Do NOT actually use spaces in your passphrase, the space
bar typically makes a distinctive sound so an eavesdropper can
potentially figure out how many words are in your passphrase, and the
length of each word, narrowing their search window...

He's assigning 11 bits of entropy to each word, 2^11 = a word list
2048 words long, which corresponds with S/KEY:

There's also:

Cryptographic security is all in the details, doing it even slightly
wrong can completely destroy your security. Make sure to follow a
proven strategy if you're going the passphrase route.

Personally I've been generating passwords with "pwgen -s 12 1", or for
really important stuff (like online banking), "pwgen -s 12 1". A
different password for absolutely everything, all passwords are stored
in a Revelation database protected by a REALLY long passphrase. I find
its not that hard to remember a completely obscure 12-char password,
after a day or two of frequent use, if you force yourself to actually
type it in by hand rather than just cut-and-pasting from Revelation.
Try just memorizing 2-4 chars at a time until you remember it all. I
find I end up just consciously remembering the first 4 chars and
muscle memory completes the rest...

Also see:

More information about the devel mailing list