Conversation
Notices
-
Passwords are like… http://ur1.ca/7g5iy - this image will never get old !sysadmin #security
- George Bankov likes this.
-
@cyberkiller Changing passwords isn't as useful as having high-entropy ones in the first place. http://xkcd.com/936/
-
@spacehobo actually that strip is wrong - that common word password is exremely weak to dictionary attacks, plus...
-
@cyberkiller You are the "someone who does not" in the hover text
-
@spacehobo ...it would take 2,84e13 days to crack that 11 sign pass @ 1000 tries/sec, trying all 4word combinations in eng would take <1h
-
@cyberkiller You're comparing pwgen to dictionary passwords, and ignoring the measured entropy of english words.
-
@spacehobo I'm comparing 11 random chars from 4 groups with 4 dictionary words: (2*23+10+32)^11 vs. 6677^4
-
@spacehobo correction: (2*23+10+32)^11 vs. 62153^4, so it'd take >1h for the dictionary, but still the random pass is better
-
@cyberkiller yeah, but the person trying to break the password has no idea if that's 4 english words or ~20 alphanum chars. :)
-
@cyberkiller hence it should be viewed as a ~20 alphanum password, with regard to breaking and time needed for it
-
@cyberkiller I'm not debating against pwgen'd passwords. You seem to have not read the comic carefully enough.
-
@spacehobo the comics author has made specific assumptions as to the first pass structure, that's why he got so low score for it
-
@cyberkiller and you think attackers don't benefit from making the exact same assumptions?
-
@cyberkiller it's a call for change from current bad advice about user-chosen passwords to good advice. Please read carefully.
-
@rysiek well, I usually run bruteforce and dictionary and mixed attacks in parallel, so it's whichever gets there first
-
@spacehobo no, those assumptions were possible here because the string was known already. You can't tell if only 1st char is caps etc
-
@cyberkiller haha, you really are the caps guy in the hover text!
-
@cyberkiller the assumptions were possible because THIS IS HOW WE TELL PEOPLE TO MAKE PASSWORDS
-
@spacehobo it is you how got fooled into believing that the output of 'pwgen -cnys 11 1' is ~2e8 combinations
-
@spacehobo who tells? I never told anyone to create a password on a base of any existing word in any language, I tell ppl to use pwgen
-
@cyberkiller That is specifically NOT what is stated in the comic! Nobody is debating the strength of #pwgen passwords here!
-
@cyberkiller "We" the general tech industry, not you an individual.
-
@cyberkiller That comic is about balancing entropy and memorability to optimize for security.
-
@cyberkiller human factors mean that unmemorable passwords get committed to insecure storage, which is DISASTROUS.
-
@spacehobo you could have said that earlier and save us this debate - I had only 3-4 hours of sleep today, so my brain is a bit off :-P
-
@cyberkiller well changing passwords is a human factors concern, so... duh?
All Identi.ca content and data are available under the