On Mon 09 Dec 2019 at 14:10:56 -0500, Celejar wrote: > On Mon, 09 Dec 2019 16:31:35 +0100 > Jonas Smedegaard <jo...@jones.dk> wrote: > > > Quoting Charles Curley (2019-12-09 15:56:26) > > > On Sun, 8 Dec 2019 18:55:12 +0100 (CET) > > > <l0f...@tuta.io> wrote: > > > > > > > Usual advice : use strong passwords (i.e. long enough with high > > > > entropy => generated&stored in a dedicated password manager) AND 1 > > > > different per service, never the same. > > > > > > There is a handy password generator available on Debian, called APG > > > (Automated Password Generator), which will generate passwords for you. > > > The default settings yield a fairly strong password, but you can modify > > > those to make the results even stronger. > > > > I dislike APG because it generates passwords difficult to remember - > > without aiding in how to deal with that, which has a high risk of > > passwords getting stored on physical notes in the top drawer... > > > I use 'pwgen', whose manpage begins thus: > > ***** > The pwgen program generates passwords which are designed to be easily > memorized by humans, while being as secure as possible. Human-memo‐ > rable passwords are never going to be as secure as completely > completely random passwords. In particular, passwords generated by > pwgen without the -s option should not be used in places where the > password could be attacked via an off-line brute-force attack. On the > other hand, completely randomly generated passwords have a tendency to > be written down, and are subject to being compromised in that fashion. > ***** > > Although I almost always use it with its --secure option, since I > don't try to memorize passwords, but instead record them (in a plain > text file) - who can remember hundreds of passwords?
Indeed. Memorising is part of the password problem. I've indicated a possible solution that does not rely on the fallibility of memory in another mail. Your plain text storage method would benefit immensley from using the scrypt package. -- Brian.
