I’d encourage you to pick one of those random password generating web sites, get an 8 char password and practice typing it 15-20 times. It’s really not that difficult to memorize. Now, memorizing a dozen of them for various websites will be quite a bit more difficult, but that’s where things like lastpass come in.
Typing faster would prolly benefit me quite a bit, as has been pointed out support, for pass phrases is limited. My point is simply that vast improvements can be made to a typical P@$$w0Rd by true randomization without needing to resort to long pass phrases. From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, August 10, 2011 7:22 PM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords I'm not going to argue the point too strongly, but building a short, complex password probably requires using a mental template of some sort. Perhaps the initial letters of a set of song titles, or addresses, or something like that. I think that the mental effort of remembering the template and then making the translation to the keyboard is more difficult than choosing a meaningful sentence. And, for touch typists (like me), it's even easier, since the naturalness of typing a sentence is more comfortable than trying to type rather random sequences. But, whatever works, I suppose. Kurt On Wed, Aug 10, 2011 at 15:52, Crawford, Scott <crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote: Thx. Now, I realize that the little gray boxes are the bits…I feel dumb. ☺ Not, that I disagree with the sentiment, but this assumes that the only way passwords are being generated is through modifying some word. To me, this is a reason not to assume that a password is complex simply because it *looks* complex or because it has a wide sample of characters. Building a complex looking password is not the same as a real complex password. As an example, an 8 character password built from a truly random mix of upper/lower/numeric characters is 62^8 or ~47 bits of entropy. And, that’s before adding symbols. The problem with passphrases is that they take a relatively long time to type. Definitely easier to remember, but muscle memory makes remembering 8 character random alphanumeric passwords pretty easy too. From: Steve Kradel [mailto:skra...@zetetic.net<mailto:skra...@zetetic.net>] Sent: Wednesday, August 10, 2011 5:06 PM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords It looks like Randall @ xkcd supposes each word in "correct horse battery staple" has 11 bits of entropy, which is to say, the person choosing the password has a comfortable vocabulary of 2^11 (2,048) words from which he will pick four at random. (2048^4 is the same as 2^44.) I think 2,048 words is a pretty low estimate, at least in English, but that's not really the point... On the other hand, he suggests forcing people to choose "strong" passwords presses humans into a doofy pattern that is actually much *less* random than four dictionary words. 16 bits of uncertainty for the "uncommon base word" means the user has possibly picked a "difficult" dictionary word (from a vocabulary of 2^16 = 65,536 words -- generously more than a normal person knows), and then mangles it up a little bit in semi-predictable ways to satisfy the password strength checker. It definitely raises an interesting question... why do so many organizations elect for minimum 8-character complex passwords, instead of "non-complex" passphrases of at least 16 or 20 characters, when the latter would be easier to remember and probably stronger? --Steve On Wed, Aug 10, 2011 at 5:33 PM, Crawford, Scott <crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote: Interesting. I’d like to understand how the bits of entropy are calculated though. From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>] Sent: Wednesday, August 10, 2011 4:06 PM To: NT System Admin Issues Subject: Almost, but not quite OT: Passwords http://xkcd.com/936/#<http://xkcd.com/936/> Yet, very pertinent. ASB http://about.me/Andrew.S.Baker Harnessing the Advantages of Technology for the SMB market… ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin