Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Callum Lerwick seg at haxxed.com
Thu Oct 13 20:50:14 UTC 2011


On Thu, Oct 13, 2011 at 2:45 AM, Callum Lerwick <seg at haxxed.com> wrote:
> Personally I've been generating passwords with "pwgen -s 12 1", or for
> really important stuff (like online banking), "pwgen -s 12 1".

Erk, that should be "pwgen -s -y 12" for the important stuff.
Cut-and-paste fail. :(

A fully random 12 char alpha-numeric (with fully random caps) password
is about ~71 bits of entropy.

A fully random 12 char password using all 94 printable ASCII
characters (not including space) is ~78 bits of entropy.

Remember, bits multiply exponentially. Each additional bit doubles
your search space. If I did my math right, this is exceeding a four
word S/KEY passphrase (~44 bits) by about 8-10 orders of magnitude.
You need to go to 7 (!) S/KEY words to get to ~77 bits of entropy.

See:

http://en.wikipedia.org/wiki/Password_strength

Also of interest:

http://www.schneier.com/blog/archives/2005/06/write_down_your.html

As computers become faster, depending purely on human memory for
security only becomes more and more impractical. As time goes on, OTP
devices are necessary for any real security:

http://fedoraproject.org/wiki/Infrastruture/Yubikey
http://code.google.com/p/google-authenticator/
http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660

(IIRC, World of Warcraft is the #1 target for cracking, phishing, and
fraud in the world today. Its big business! But I can't find any
references offhand...)


More information about the devel mailing list