OT:Password strength

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

OT:Password strength

Eric Furman-3
OFF TOPIC. This has nothing to do with OpenBSD,
but a lot of guys here know about this stuff.
I've done some reading, but still not sure.
OK, at the risk of looking stupid,which of these passwords is better;
kMH65?&3
or
mylittlelambjumpedovertenredbarns

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Brian Empson-2
The latter, I would bet.

On 11/29/2014 10:07 PM, Eric Furman wrote:
> OFF TOPIC. This has nothing to do with OpenBSD,
> but a lot of guys here know about this stuff.
> I've done some reading, but still not sure.
> OK, at the risk of looking stupid,which of these passwords is better;
> kMH65?&3
> or
> mylittlelambjumpedovertenredbarns

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

bodie
In reply to this post by Eric Furman-3
On 30.11.2014 04:07, Eric Furman wrote:
> OFF TOPIC. This has nothing to do with OpenBSD,
> but a lot of guys here know about this stuff.
> I've done some reading, but still not sure.
> OK, at the risk of looking stupid,which of these passwords is better;
> kMH65?&3
> or
> mylittlelambjumpedovertenredbarns


Nice updated FAQ about that
http://www.baekdal.com/insights/the-usability-of-passwords-faq (on start
it links to original worth-to-read article)

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Nick Holland
In reply to this post by Eric Furman-3
On 11/29/14 22:06, Eric Furman wrote:
> OFF TOPIC. This has nothing to do with OpenBSD,
> but a lot of guys here know about this stuff.
> I've done some reading, but still not sure.
> OK, at the risk of looking stupid,which of these passwords is better;
> kMH65?&3
> or
> mylittlelambjumpedovertenredbarns

there's an XKCD comic along these lines.  I'm too lazy to dig it up.

"It's complicated."
Both have eight "things".  The later is drawn from a much much larger
set (words (thousands), vs. characters (not 100)).  So, looks like a
simple win for the second over the first, right?

Problem is the words "connect" to humans.  "little" is more likely to be
followed by "lamb" than it is "red" (though if "red" follows "little" I
bet the next word would be "wagon").  "red" is more likely to be
followed by "barn" than "lamb".  Still, there's a huge number of choices
for each "word", so I'd say the phrases still win.

(sorta related side note: At least with names, there's some curious
clusters that are seen -- for example, a friend of mine and her two
siblings have (basically) the same names as three of Adolph Hitler's
siblings (one is a slight stretch, the other two are dead-on, which is
impressive considering the very different ethnic backgrounds).  I don't
think my friend's parents would have permitted this had they known.
I've seen similar "groupings" of names in other families.  (Did I just
win the award for most unexpected use of "hitler" in an internet
discussion?))

Simply saying "there are X words of five letters or less and there are
eight of them in my pw means there are X^8 PWs someone would have to try
to get my PW" is wrong by probably several orders of magnitude.  That's
not how humans pick passwords, and if the computer does it for you, it
might be as hard or harder than if you use random characters.

Then there is the system where it is stored.  If you are working on a
stock Solaris 9 or AIX system with the default settings, only the first
eight chars are used, so the random string is much better than
"mylittle", and if you, like most people, reuse passwords or don't know
that the target system only uses the first eight characters, you can end
up using a trivial pw that you thought was really good.

If the back-end storage "gives away" the length of the pw in any way and
you see the pw is 33 chars long, you can probably bet it isn't going to
be random characters, so you would probably set your PW guesser to use
dictionary words rather than random characters, reducing the advantage.

Which is easier to remember for real people?  Which is easier to type?
No contest -- and for that reason, I'd say the overall benefit is with
the string of eight words over the string of eight random characters.

But...
Realistically, most attacks seem to be based on breaking TRIVIAL
passwords, social engineering, or use software flaws that permit access
to things that allow access to things that allow access to things ...so
either is probably "more than sufficient" to make sure that a password
guess of either of those accounts was NOT the reason for a security breach.

Kinda like escaping from a hungry lion...you don't need to outrun the
lion, you just need to outrun your friend.  You don't need an
unbreakable password, you just need one better than management uses, and
you can't be able to be blamed for the breach.  Anything more than that
is probably wasted effort.  If there is a breach that permits the
download of the hashed PW file, both may be similarly prone to off-line
brute-forcing.

Sounds cynical, but really, if you are arguing over which is the
"better" password, you are wasting time that should be spent looking for
more likely security problems.  That kinda brings it back to OpenBSD for
you. :)

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

bodie
In reply to this post by Eric Furman-3
On 30.11.2014 06:48, Nick Holland wrote:

> On 11/29/14 22:06, Eric Furman wrote:
>> OFF TOPIC. This has nothing to do with OpenBSD,
>> but a lot of guys here know about this stuff.
>> I've done some reading, but still not sure.
>> OK, at the risk of looking stupid,which of these passwords is
>> better;
>> kMH65?&3
>> or
>> mylittlelambjumpedovertenredbarns
>
> there's an XKCD comic along these lines.  I'm too lazy to dig it up.

You mean this one I think http://xkcd.com/936/

>
> "It's complicated."
> Both have eight "things".  The later is drawn from a much much larger
> set (words (thousands), vs. characters (not 100)).  So, looks like a
> simple win for the second over the first, right?
>
> Problem is the words "connect" to humans.  "little" is more likely to
> be
> followed by "lamb" than it is "red" (though if "red" follows "little"
> I
> bet the next word would be "wagon").  "red" is more likely to be
> followed by "barn" than "lamb".  Still, there's a huge number of
> choices
> for each "word", so I'd say the phrases still win.
>
> (sorta related side note: At least with names, there's some curious
> clusters that are seen -- for example, a friend of mine and her two
> siblings have (basically) the same names as three of Adolph Hitler's
> siblings (one is a slight stretch, the other two are dead-on, which
> is
> impressive considering the very different ethnic backgrounds).  I
> don't
> think my friend's parents would have permitted this had they known.
> I've seen similar "groupings" of names in other families.  (Did I
> just
> win the award for most unexpected use of "hitler" in an internet
> discussion?))
>
> Simply saying "there are X words of five letters or less and there
> are
> eight of them in my pw means there are X^8 PWs someone would have to
> try
> to get my PW" is wrong by probably several orders of magnitude.  
> That's
> not how humans pick passwords, and if the computer does it for you,
> it
> might be as hard or harder than if you use random characters.
>
> Then there is the system where it is stored.  If you are working on a
> stock Solaris 9 or AIX system with the default settings, only the
> first
> eight chars are used, so the random string is much better than
> "mylittle", and if you, like most people, reuse passwords or don't
> know
> that the target system only uses the first eight characters, you can
> end
> up using a trivial pw that you thought was really good.
>
> If the back-end storage "gives away" the length of the pw in any way
> and
> you see the pw is 33 chars long, you can probably bet it isn't going
> to
> be random characters, so you would probably set your PW guesser to
> use
> dictionary words rather than random characters, reducing the
> advantage.
>
> Which is easier to remember for real people?  Which is easier to
> type?
> No contest -- and for that reason, I'd say the overall benefit is
> with
> the string of eight words over the string of eight random characters.
>
> But...
> Realistically, most attacks seem to be based on breaking TRIVIAL
> passwords, social engineering, or use software flaws that permit
> access
> to things that allow access to things that allow access to things
> ...so
> either is probably "more than sufficient" to make sure that a
> password
> guess of either of those accounts was NOT the reason for a security
> breach.
>
> Kinda like escaping from a hungry lion...you don't need to outrun the
> lion, you just need to outrun your friend.  You don't need an
> unbreakable password, you just need one better than management uses,
> and
> you can't be able to be blamed for the breach.  Anything more than
> that
> is probably wasted effort.  If there is a breach that permits the
> download of the hashed PW file, both may be similarly prone to
> off-line
> brute-forcing.

Yeah you can do a lot for eg. friend's computer, but then he will start
to use regular browser and JavaScript and such and then suddenly most
of that you done doesn't matter anymore
http://www.youtube.com/watch?v=0QT4YJn7oVI

:-)

>
> Sounds cynical, but really, if you are arguing over which is the
> "better" password, you are wasting time that should be spent looking
> for
> more likely security problems.  That kinda brings it back to OpenBSD
> for
> you. :)
>
> Nick.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Ted Unangst-6
In reply to this post by Eric Furman-3
On Sat, Nov 29, 2014 at 22:07, Eric Furman wrote:
> OFF TOPIC. This has nothing to do with OpenBSD,
> but a lot of guys here know about this stuff.
> I've done some reading, but still not sure.
> OK, at the risk of looking stupid,which of these passwords is better;
> kMH65?&3
> or
> mylittlelambjumpedovertenredbarns

I think it's a mistake to reverse a password into entropy. If your
pool of possible passwords is sentences from common nursery rhymes,
for example, they may look awesome but in reality there are only a few
thousand possibilities.

Instead, pick a generating algorithm. It can be random letters, random
symbols, whatever. Random words. Random fake words consisting of
alternating consonants and vowels. You know how big the search space
is for each "atom". Divide desired password strength (e.g. 64 bits) by
bits per atom to determine required number of atoms.

For the consonant/vowel example, here's a luajit script that makes
passwords. Even though they are all lower case, they are at least 64
bits "hard".

local letters = {
        "c", "k", "t", "tr", "rt", "p", "pr", "d",
        "v", "n", "l", "nd", "z", "g", "th", "s" }
local vowels = { "a", "e", "i", "o", "u", "y", "oo", "ee" }

local letterbits = 4
local vowelbits = 3

local wantedbits = 64

local bits = 0

local ffi = require "ffi"
ffi.cdef[[uint32_t arc4random_uniform(uint32_t);]]
local function rand(max)
        return ffi.C.arc4random_uniform(max) + 1
end    

local atoms = { }
while bits < wantedbits do
        table.insert(atoms, letters[rand(16)])
        table.insert(atoms, vowels[rand(8)])
        bits = bits + letterbits + vowelbits
end    
print(table.concat(atoms))

Examples:

treetykaveprethicooputhedu
soonataviceenoopatecoge
gootrozapiceelytrithunula
preezypeendothanundipeesooka

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Miod Vallat
> Examples:
>
> treetykaveprethicooputhedu
> soonataviceenoopatecoge
> gootrozapiceelytrithunula
> preezypeendothanundipeesooka

These stand no chance against a finnish attacker!

Miod

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

RichardET
In reply to this post by Ted Unangst-6
Where do you store these passwords? On a napkin?

  Original Message  
From: Ted Unangst
Sent: Sunday, November 30, 2014 3:21 PM
To: Eric Furman
Cc: OpenBSD Misc
Subject: Re: OT:Password strength

On Sat, Nov 29, 2014 at 22:07, Eric Furman wrote:
> OFF TOPIC. This has nothing to do with OpenBSD,
> but a lot of guys here know about this stuff.
> I've done some reading, but still not sure.
> OK, at the risk of looking stupid,which of these passwords is better;
> kMH65?&3
> or
> mylittlelambjumpedovertenredbarns

I think it's a mistake to reverse a password into entropy. If your
pool of possible passwords is sentences from common nursery rhymes,
for example, they may look awesome but in reality there are only a few
thousand possibilities.

Instead, pick a generating algorithm. It can be random letters, random
symbols, whatever. Random words. Random fake words consisting of
alternating consonants and vowels. You know how big the search space
is for each "atom". Divide desired password strength (e.g. 64 bits) by
bits per atom to determine required number of atoms.

For the consonant/vowel example, here's a luajit script that makes
passwords. Even though they are all lower case, they are at least 64
bits "hard".

local letters = {
"c", "k", "t", "tr", "rt", "p", "pr", "d",
"v", "n", "l", "nd", "z", "g", "th", "s" }
local vowels = { "a", "e", "i", "o", "u", "y", "oo", "ee" }

local letterbits = 4
local vowelbits = 3

local wantedbits = 64

local bits = 0

local ffi = require "ffi"
ffi.cdef[[uint32_t arc4random_uniform(uint32_t);]]
local function rand(max)
return ffi.C.arc4random_uniform(max) + 1
end

local atoms = { }
while bits < wantedbits do
table.insert(atoms, letters[rand(16)])
table.insert(atoms, vowels[rand(8)])
bits = bits + letterbits + vowelbits
end
print(table.concat(atoms))

Examples:

treetykaveprethicooputhedu
soonataviceenoopatecoge
gootrozapiceelytrithunula
preezypeendothanundipeesooka

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Ted Unangst-6
In reply to this post by Eric Furman-3
On Sun, Nov 30, 2014 at 15:37, [hidden email] wrote:
> Where do you store these passwords? On a napkin?

Wherever you like. A shorter password with all the o's turned into 0's
is hardly more secure.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

RichardET
I get why network admins and CIO types live and breath security and hardened passwords, but the average user has gone mad. I like leading alpha characters in combination with an old phone number, with a few non-alpha‎ characters, leading and trailing. Thus a password that I can remember, but not something easy to guess. Example: I worked at Empire Blue Cross 20 years ago. My phone was x3699.   212 476 3699. Thus say, =EmpBC3699& would be fairly good, and I could recall it without writing it down.    One could say that 3699 is too easy, perhaps, buts its a quick example of a easy analog way to create a password which is ok, and easy to remember.

  Original Message  
From: Ted Unangst
Sent: Sunday, November 30, 2014 4:21 PM
To: [hidden email]
Cc: Eric Furman; OpenBSD Misc
Subject: Re: OT:Password strength

On Sun, Nov 30, 2014 at 15:37, [hidden email] wrote:
> Where do you store these passwords? On a napkin?

Wherever you like. A shorter password with all the o's turned into 0's
is hardly more secure.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Eric Furman-3
On Sun, Nov 30, 2014, at 05:02 PM, [hidden email] wrote:

> I get why network admins and CIO types live and breath security and
> hardened passwords, but the average user has gone mad. I like leading
> alpha characters in combination with an old phone number, with a few
> non-alpha‎ characters, leading and trailing. Thus a password that I can
> remember, but not something easy to guess. Example: I worked at Empire
> Blue Cross 20 years ago. My phone was x3699.   212 476 3699. Thus say,
> =EmpBC3699& would be fairly good, and I could recall it without writing
> it down.    One could say that 3699 is too easy, perhaps, buts its a
> quick example of a easy analog way to create a password which is ok, and
> easy to remember.

But according to this article;
https://www.schneier.com/blog/archives/2007/01/choosing_secure.html

if an attacker did have some of this personal info your password
would be easy to crack.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Eric Furman-3
In reply to this post by Ted Unangst-6
On Sun, Nov 30, 2014, at 03:20 PM, Ted Unangst wrote:

> On Sat, Nov 29, 2014 at 22:07, Eric Furman wrote:
> > OFF TOPIC. This has nothing to do with OpenBSD,
> > but a lot of guys here know about this stuff.
> > I've done some reading, but still not sure.
> > OK, at the risk of looking stupid,which of these passwords is better;
> > kMH65?&3
> > or
> > mylittlelambjumpedovertenredbarns
>
> I think it's a mistake to reverse a password into entropy. If your
> pool of possible passwords is sentences from common nursery rhymes,
> for example, they may look awesome but in reality there are only a few
> thousand possibilities.
>
> Instead, pick a generating algorithm. It can be random letters, random
> symbols, whatever. Random words. Random fake words consisting of
> alternating consonants and vowels. You know how big the search space
> is for each "atom". Divide desired password strength (e.g. 64 bits) by
> bits per atom to determine required number of atoms.
>
> For the consonant/vowel example, here's a luajit script that makes
> passwords. Even though they are all lower case, they are at least 64
> bits "hard".
>
> local letters = {
>         "c", "k", "t", "tr", "rt", "p", "pr", "d",
>         "v", "n", "l", "nd", "z", "g", "th", "s" }
> local vowels = { "a", "e", "i", "o", "u", "y", "oo", "ee" }
>
> local letterbits = 4
> local vowelbits = 3
>
> local wantedbits = 64
>
> local bits = 0
>
> local ffi = require "ffi"
> ffi.cdef[[uint32_t arc4random_uniform(uint32_t);]]
> local function rand(max)
>         return ffi.C.arc4random_uniform(max) + 1
> end    
>
> local atoms = { }
> while bits < wantedbits do
>         table.insert(atoms, letters[rand(16)])
>         table.insert(atoms, vowels[rand(8)])
>         bits = bits + letterbits + vowelbits
> end    
> print(table.concat(atoms))
>
> Examples:
>
> treetykaveprethicooputhedu
> soonataviceenoopatecoge
> gootrozapiceelytrithunula
> preezypeendothanundipeesooka

Bruce Schneier agrees. :)
According to him modern password crackers find string of word passwords,
like in XKCD, to be easy to crack.
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

But I can't always use a password manager and those passwords are
impossible to remember.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Eric Furman-3
In reply to this post by Nick Holland
On Sun, Nov 30, 2014, at 12:48 AM, Nick Holland wrote:

> On 11/29/14 22:06, Eric Furman wrote:
> > OFF TOPIC. This has nothing to do with OpenBSD,
> > but a lot of guys here know about this stuff.
> > I've done some reading, but still not sure.
> > OK, at the risk of looking stupid,which of these passwords is better;
> > kMH65?&3
> > or
> > mylittlelambjumpedovertenredbarns
>
> there's an XKCD comic along these lines.  I'm too lazy to dig it up.
>
> "It's complicated."
> Both have eight "things".  The later is drawn from a much much larger
> set (words (thousands), vs. characters (not 100)).  So, looks like a
> simple win for the second over the first, right?
>
> Problem is the words "connect" to humans.  "little" is more likely to be
> followed by "lamb" than it is "red" (though if "red" follows "little" I
> bet the next word would be "wagon").  "red" is more likely to be
> followed by "barn" than "lamb".  Still, there's a huge number of choices
> for each "word", so I'd say the phrases still win.
>
> (sorta related side note: At least with names, there's some curious
> clusters that are seen -- for example, a friend of mine and her two
> siblings have (basically) the same names as three of Adolph Hitler's
> siblings (one is a slight stretch, the other two are dead-on, which is
> impressive considering the very different ethnic backgrounds).  I don't
> think my friend's parents would have permitted this had they known.
> I've seen similar "groupings" of names in other families.  (Did I just
> win the award for most unexpected use of "hitler" in an internet
> discussion?))
>
> Simply saying "there are X words of five letters or less and there are
> eight of them in my pw means there are X^8 PWs someone would have to try
> to get my PW" is wrong by probably several orders of magnitude.  That's
> not how humans pick passwords, and if the computer does it for you, it
> might be as hard or harder than if you use random characters.
>
> Then there is the system where it is stored.  If you are working on a
> stock Solaris 9 or AIX system with the default settings, only the first
> eight chars are used, so the random string is much better than
> "mylittle", and if you, like most people, reuse passwords or don't know
> that the target system only uses the first eight characters, you can end
> up using a trivial pw that you thought was really good.

Yes, part of the reason for asking this question was that I am aware
that
some authentication schemes only use the first 8 characters.
Is there any way of knowing if they do ignore any characters after the
first eight?
Are authentication schemes that don't recognize more than eight
characters
still common?

One of my banking sites won't except certain special characters.
Like $, %, ?
Which messes up my best short passwords that I actually remember.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

davidson
On Sun, November 30, 2014 8:09 pm, Eric Furman wrote:
> On Sun, Nov 30, 2014, at 12:48 AM, Nick Holland wrote:
<lots snipped>

>> Then there is the system where it is stored.  If you are working on a
>> stock Solaris 9 or AIX system with the default settings, only the first
>> eight chars are used, so the random string is much better than
>> "mylittle", and if you, like most people, reuse passwords or don't know
>> that the target system only uses the first eight characters, you can end
>> up using a trivial pw that you thought was really good.
>
> Yes, part of the reason for asking this question was that I am aware
> that some authentication schemes only use the first 8 characters.
> Is there any way of knowing if they do ignore any characters after
> the first eight?

sure.  after setting your password to more than eight characters, try
logging in by entering just the first eight characters.

> Are authentication schemes that don't recognize more than eight
> characters still common?

try it and see.

> One of my banking sites won't except certain special characters.
> Like $, %, ?
> Which messes up my best short passwords that I actually remember.

i too find it annoying when the set of valid password characters is
not listed somewhere easy for the user to find.

-wes

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Dennis Davis-3
In reply to this post by Miod Vallat
On Sun, 30 Nov 2014, Miod Vallat wrote:

> From: Miod Vallat <[hidden email]>
> To: Ted Unangst <[hidden email]>
> Cc: Eric Furman <[hidden email]>, OpenBSD Misc <[hidden email]>
> Date: Sun, 30 Nov 2014 20:34:01
> Subject: Re: OT:Password strength
>
> > Examples:
> >
> > treetykaveprethicooputhedu
> > soonataviceenoopatecoge
> > gootrozapiceelytrithunula
> > preezypeendothanundipeesooka
>
> These stand no chance against a finnish attacker!

Are you sure?  I thought these passwords would be low-hanging fruit
for the Swedish chef from the Muppets[1].

[1] http://en.wikipedia.org/wiki/Swedish_Chef
--
Dennis Davis <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Darren S.
In reply to this post by davidson
On Sun, Nov 30, 2014 at 7:00 PM, <[hidden email]> wrote:

> On Sun, November 30, 2014 8:09 pm, Eric Furman wrote:
> > On Sun, Nov 30, 2014, at 12:48 AM, Nick Holland wrote:
> <lots snipped>
> >> Then there is the system where it is stored.  If you are working on a
> >> stock Solaris 9 or AIX system with the default settings, only the first
> >> eight chars are used, so the random string is much better than
> >> "mylittle", and if you, like most people, reuse passwords or don't know
> >> that the target system only uses the first eight characters, you can end
> >> up using a trivial pw that you thought was really good.
> >
> > Yes, part of the reason for asking this question was that I am aware
> > that some authentication schemes only use the first 8 characters.
> > Is there any way of knowing if they do ignore any characters after
> > the first eight?
>
> sure.  after setting your password to more than eight characters, try
> logging in by entering just the first eight characters.
>
> > Are authentication schemes that don't recognize more than eight
> > characters still common?
>
> try it and see.
>
> > One of my banking sites won't except certain special characters.
> > Like $, %, ?
> > Which messes up my best short passwords that I actually remember.
>
> i too find it annoying when the set of valid password characters is
> not listed somewhere easy for the user to find.
>
> -wes
>
>


--
Darren Spruell
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Tor Houghton
In reply to this post by Ted Unangst-6
On Sun, Nov 30, 2014 at 04:21:50PM -0500, Ted Unangst wrote:
> On Sun, Nov 30, 2014 at 15:37, [hidden email] wrote:
> > Where do you store these passwords? On a napkin?
>
> Wherever you like. A shorter password with all the o's turned into 0's
> is hardly more secure.
>

I'd say "on a napkin" until you remember it; which doesn't take long if you
use it several times a day.

Tor

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Brad Smith-14
In reply to this post by Ted Unangst-6
On 11/30/14 15:20, Ted Unangst wrote:
> Examples:
>
> treetykaveprethicooputhedu
> soonataviceenoopatecoge
> gootrozapiceelytrithunula
> preezypeendothanundipeesooka

That defeats the purpose of the second example in the OPs question.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Ted Unangst-6
In reply to this post by Eric Furman-3
On Wed, Dec 03, 2014 at 08:27, Brad Smith wrote:

> On 11/30/14 15:20, Ted Unangst wrote:
>> Examples:
>>
>> treetykaveprethicooputhedu
>> soonataviceenoopatecoge
>> gootrozapiceelytrithunula
>> preezypeendothanundipeesooka
>
> That defeats the purpose of the second example in the OPs question.
>

If you want strong, short passwords that look ridiculous:

dd if=/dev/random bs=1 count=9 | b64encode password

Reply | Threaded
Open this post in threaded view
|

Re: OT:Password strength

Jason Adams
On 12/03/2014 12:04 PM, Ted Unangst wrote:

> On Wed, Dec 03, 2014 at 08:27, Brad Smith wrote:
>> On 11/30/14 15:20, Ted Unangst wrote:
>>> Examples:
>>>
>>> treetykaveprethicooputhedu
>>> soonataviceenoopatecoge
>>> gootrozapiceelytrithunula
>>> preezypeendothanundipeesooka
>> That defeats the purpose of the second example in the OPs question.
>>
> If you want strong, short passwords that look ridiculous:
>
> dd if=/dev/random bs=1 count=9 | b64encode password
>

And then try to remember that mess, or type it, especially into
a smartphone. Gaak! 8-O



--
Those who do not understand Unix are condemned to reinvent it, poorly.

12