Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Callum Lerwick seg at
Thu Oct 13 20:50:14 UTC 2011

On Thu, Oct 13, 2011 at 2:45 AM, Callum Lerwick <seg at> wrote:
> Personally I've been generating passwords with "pwgen -s 12 1", or for
> really important stuff (like online banking), "pwgen -s 12 1".

Erk, that should be "pwgen -s -y 12" for the important stuff.
Cut-and-paste fail. :(

A fully random 12 char alpha-numeric (with fully random caps) password
is about ~71 bits of entropy.

A fully random 12 char password using all 94 printable ASCII
characters (not including space) is ~78 bits of entropy.

Remember, bits multiply exponentially. Each additional bit doubles
your search space. If I did my math right, this is exceeding a four
word S/KEY passphrase (~44 bits) by about 8-10 orders of magnitude.
You need to go to 7 (!) S/KEY words to get to ~77 bits of entropy.


Also of interest:

As computers become faster, depending purely on human memory for
security only becomes more and more impractical. As time goes on, OTP
devices are necessary for any real security:

(IIRC, World of Warcraft is the #1 target for cracking, phishing, and
fraud in the world today. Its big business! But I can't find any
references offhand...)

More information about the devel mailing list