Great info, thanks! Do you recall how many logins you have? And how did you use 1P to retroactively change/evolve to their system? And for "apps" I presume you use copy/paste?
Boy wouldn't it be great if they invented a way to *change* the passwords that they manage easily? -- Owen On Thu, Jan 29, 2015 at 9:40 AM, Barry MacKichan < barry.mackic...@mackichan.com> wrote: > For what it's worth, here are my answers: > 1. I use 1Password on the Mac, Windows, and IOS, which is currently all > the computers I use. The passwords it generates for me are currently 20 > characters including upper and lower case, digits, punctuation, and > symbols. I never (well, hardly ever) have to enter one by hand, so I don't > mind using ambiguous characters (1, l, I, 0, O). They are not limited to 20 > characters, but that seemed enough to me. The only problem is sites that > put a low limit on the number of characters in a password (!!!) > 2. The character distribution in the 'sentence-based stunts' is probably > like the character distribution in English -- the etaoinshrdlu > distribution. Since some characters may be more or less likely as word > starters, the entropy might be even less than in English, so I don't > consider it random. > 3. I've considered putting some unicode characters in my 1Password master > password, but I haven't checked to see that I can enter them in a password > field on all the platforms I use. I would expect that unicode in a password > field is represented as UTF8, so that making a single character unicode > would add only one, maybe two, bytes to the password, rather than doubling > the length. Making some of the characters ≥ 128 and < 256 would change the > number of combinations that need to be checked from 128^n to 256^n; i.e., > it would multiply it by 2^n, but this could also be done by adding a few > more characters. Using UTF8 unicode would also put in high bytes. > > The XKCD method is not bad. The fact that the component parts are words is > not fatal. With the DICE method, you pick words at random from a dictionary > of about 7000 words. Brute force cracking a five-word password requires > 7000^5 tries, and then you can change the capitalization, use a variety of > symbols between the words, etc. to increase the number. If someone tries to > crack my 1Password vault, they don't have a hashed password, so they need > to feed each password to 1Password, which uses PBKDF to slow down the > process. With current hardware the time to crack my vault is over 100,000 > years; I forget the exact number. When hardware improves, I'll add another > word to the password. > > For passwords I must remember (logon, Apple ID, dropbox) I use a program > written by a friend which produces 11-character pronounceable pseudo-words. > Dropbox has a shorter password so I can get to the 1Password vault it > contains in the case of disaster. > > —Barry > > > > On 28 Jan 2015, at 21:25, Owen Densmore wrote: > > So questions: >> - How many of us are now using completely random pw's generated by one of >> the pw managers? >> - Is sentence based stunts close to "random"? >> - Wouldn't unicode help here? 16 bit characters would definitely bother >> the crackers, right? >> > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com