On 2014-06-27, Giancarlo Razzolini <grazzol...@gmail.com> wrote: > Perhaps you should take a look at this funny and very accurate xkcd > comic strip: > > http://xkcd.com/936/
"yes, cracking a stolen hash is faster, but it's not what the average user should worry about" I disagree, that is *exactly* what the average user should worry about. And knowing that some people use xkcd style passwords, who would start on a brute force attack before they've finished with a decent wordlist run? > Passwords are all about entropy. Spaces, special characters, don't mean > much for brute force attacks. If you take a look at the most new, state > of the art password cracking tools, you'll find that they are very, very > good at guessing passwords. I believe that using long phrases composed > of random words as passwords is way more effective than these special, > punctuation, spaces, passwords. Using a long phrase is *much* worse than an equally long string of random characters. But of course most people can't remember the latter. It's a trade off. > And remote attacks on your machine are unlikely. /var/log/authlog on pretty much any machine with exposed ssh tells a different story ... (not that you really want people even getting as far as being able to attempt passwords..)