Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

[Callum Lerwick]

On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski
<przemek.klosowski at nist.gov> wrote:
> Length beats out larger character set, which is nicely illustrated by
> the XKCD cartoon
>
> http://imgs.xkcd.com/comics/password_strength.png

Be careful, that xkcd strip glosses over how that phrase was actually
generated. If you just pick words or sentences out of your head, you
could actually have dangerously little actual entropy in your
passphrase. Do NOT actually use spaces in your passphrase, the space
bar typically makes a distinctive sound so an eavesdropper can
potentially figure out how many words are in your passphrase, and the
length of each word, narrowing their search window...

He's assigning 11 bits of entropy to each word, 2^11 = a word list
2048 words long, which corresponds with S/KEY:

http://en.wikipedia.org/wiki/S/KEY

There's also:

http://en.wikipedia.org/wiki/Diceware
http://en.wikipedia.org/wiki/Bubble_Babble
http://en.wikipedia.org/wiki/Biometric_word_list

Cryptographic security is all in the details, doing it even slightly
wrong can completely destroy your security. Make sure to follow a
proven strategy if you're going the passphrase route.

Personally I've been generating passwords with "pwgen -s 12 1", or for
really important stuff (like online banking), "pwgen -s 12 1". A
different password for absolutely everything, all passwords are stored
in a Revelation database protected by a REALLY long passphrase. I find
its not that hard to remember a completely obscure 12-char password,
after a day or two of frequent use, if you force yourself to actually
type it in by hand rather than just cut-and-pasting from Revelation.
Try just memorizing 2-4 chars at a time until you remember it all. I
find I end up just consciously remembering the first 4 chars and
muscle memory completes the rest...

Also see:

http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458