Curt wrote: > Bob Proulx wrote: > > Just to plug a good tool I like using pwgen to generate truly random > > passwords. A long random password is sufficiently difficult to > > exploit. If you are using passwords that are easy to crack then they > > should definitely be disabled. Here is an example: > > > > $ pwgen 16 1 > > au6fiegieCh5shio > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726578
That ticket is mostly an argument over defaults. But you are right that the way I am using it and proposing it to others I should add the -s option. Instead of: $ pwgen 16 1 shohReeg3ceidae7 That should at least have -s instead: $ pwgen -s 16 1 pfqePLprEjMy9D3s However at 16 characters or more even the default options still provide quite a bit of entropy and would be hard to exploit. The biggest problem I have found using random passwords is that some sites truncate the password to a shorter number of characters. Some of those are fairly high profile sites! http://www.schwab.com/ is a good example that truncates passwords at eight characters. There is no defensible rationale for doing that truncation. When I see that I assume that means that they are storing the plaintext of the password somewhere. Otherwise if they were properly hashing the password why would they feel the need to truncate it? Bob
signature.asc
Description: Digital signature