On Tue 13 Jan 2015 at 22:16:12 -0700, Bob Proulx wrote: > Brian wrote: > > Seeing that my argument that enforcing (if it is possible) an > > unmemorable password is not in the best interests of security doesn't > > gain any tracton, let me try a different tack. > > > > The password > > > > TwasBrilligAndTheSlithyToves > > > > strikes me as a pretty good one for an ssh login. (I have capitalised > > some letters for readability, not to add complexity). Personally, I find > > it easy to remember and associate with ssh and my account. I cannot see > > why it is not a good password for me. > > Why passwords have never been weaker—and crackers have never been stronger > http://arstechnica.com/security/2012/08/passwords-under-assault/ > > Most importantly, a series of leaks over the past few years containing > more than 100 million real-world passwords have provided crackers with > important new insights about how people in different walks of life > choose passwords on different sites or in different settings. The > ever-growing list of leaked passwords allows programmers to write > rules that make cracking algorithms faster and more accurate; password > attacks have become cut-and-paste exercises that even script kiddies > can perform with ease. > > To summarize the problem it is that you as a human are unique in the > universe, just like everyone else. Analyzing 100 million passwords > exposes the human bias that you introduce that you don't realize you > are introducing. It is "big data" removing the uniqueness and > reducing the search space.
A good article. There is a follow-up at http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ Although it affects a user, the lack of security at a site is not fixable by him and is not his responsibility. If usernames and hashes are exposed to an off-line attack I would agree the only certain protection is a long, complex password comprising random characters. It would be beyond the present techniques to match the hash in any realistic time. I am still going to maintain that "TwasBrilligAndTheSlithyToves" is a more than adquate password for logging in *on-line*. If I were to lack trust in the maintenence of security at a site I might consider a change of heart. But then - what would I base my judgement on. apart from the theoretcal possibility? > I won't say that the technique you show above is a bad thing. But the > current wisdom is that it isn't good enough anymore because after > analyzing millions of real world passwords, programs can now guess > what humans will do much of the time. So what you really need is > something other than what a human would produce. We are still on off-line cracking? How does this sound? Memorable passwords are good. Long, complex passwords are also good. One needn't exclude the other. I can remember "TwasBrilligAndTheSlithyToves" and associate it with an account. Before signing up I do echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30 The output is what I give to a site as a password. Furthermore, before any future logins I can run the command again to get the same password. Isn't this on-line and off-line cracking taken care of? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150114215605.gb15...@copernicus.demon.co.uk