Sumit Dhar wrote: [snip, nice text about passwords] > On a side note, I wonder why someone has not taken a list of songs, > poems, famous movies, novels etc and fed it to a dictionary program for > a password cracker.
Securityfocus has a nice article about this issue: http://online.securityfocus.com/infocus/1554 ("Ten Windows Password Myths" by Mark Burnett). <quote> A common myth is that totally random passwords spit out by password generators are the best passwords. This is not true. While they may in fact be strong passwords, they are usually difficult to remember, slow to type, and sometimes vulnerable to attacks against the password generating algorithm. It is easy to create passwords that are just as strong but much easier to remember by using a few simple techniques. For example, consider the password "[EMAIL PROTECTED]". This password utilizes upper and lower-case letters, two numbers, and two symbols. The password is 20 characters long and can be memorized with very little effort; perhaps even by the time you finish this article. Moreover, this password can be typed very fast. The portion "Makeit20" alternates between left and right-handed keys on the keyboard, improving speed, decreasing typos, and decreasing the chances of someone being able to discover your password by watching you (for a list of nearly eight thousand English words that alternate between left and right-handed keys, see http://www.xato.net/downloads/lrwords.txt.) The best technique for creating complex passwords that are easier to remember is to use data structures that we are accustomed to remembering. Such structures also make it easy to include punctuation characters in the password, as in the e-mail address example used above. Other data structures that are easy to remember are phone numbers, addresses, names, file paths, etc. Consider also that certain elements make things more memorable for us. For example, patterns, repetition, rhymes, humor, and even offensive words all make passwords that we will never forget. <unquote> Grtz, Jan -- Dutch Security Information Network (http://www.dsinet.org)
