On Mon, 24 Oct 2011, Florin Iucha wrote: > On Sun, Oct 23, 2011 at 08:51:40PM -0500, Harry Penner wrote: > >>> I should try that. What I've been doing instead is using a certain >>> format for the password, something like #:xx637FUbar where the xx part >>> is replaced by a couple of letters based on the name of the machine or >>> system I am connecting to. That means that I have different passwords >>> on every system, but I can still remember them. I guess it is >>> theoretically possible for someone to figure out what I've done, but I >>> think that is very unlikely. >> >> >> I've read in several 'security' places (conferences, blogs, etc, take >> 'em all with a grain of salt) that that's a very effective way to >> manage passwords. The idea being that (1) the main component of the >> password is "strong", but there's only one so it's not too hard to >> remember, and (2) the site-unique piece of the password prevents the >> vulnerability associated with using a single (however strong) password >> for multiple sites. Since it's completely unreasonable to expect a >> normal person to remember multiple "strong" passwords, it's what I >> recommend to extended family and friends. > > http://cuddletech.com/blog/?p=666 and xkcd make a good point in that we > should not be using pass-words but pass-phrases. More entropy and > easier on our brains. I was using Solaris for more than a decade until a couple of years ago. In Solaris, though it gave no warning and accepted any password, only the first 8 characters of the password were used. So if a user entered the password "correct horse battery staple", the password would be "correct ", with the space. This created a blatantly obvioius security problem that Sun didn't seem to mind at all. When we use passwords online, we don't really know how much of the string is being used. If the system is truncating at 8 characters, we are putting ourselves in danger if we use pass-phrases, especially if the first 8 characters is a common word. For this reason, I like to use something a little tricky in the first 8 characters -- front-load your password. If you are going to use weird characters, it is better to have them at the beginning than at the end. The XKCD cartoon is deceiving because it makes a bunch of assumptions about how the password is encoded. For example, we supposedly know that only the first letter could be capitalized, but not the other letters. So if someone were to use *all* caps, that scheme would never even find PASSWORD as the password. Bizarrely, it also requires that the cracker know that the last two characters are a digit and a punctuation mark, but he doesn't know their order. If we have 52 alphabet characters, 10 digits and 33 non-alphanumeric characters, then we would start working on the 11-character password after doing the 95^10 10-character passwords, the 95^9 9-character passwords, etc. That's more than 65 bits just to get through the 10-character passwords and start on the 11-character passwords. Then there are more than 72 bits of 11-character passwords, so on average thats 71 bits to crack the 11-character password, which will never happen. I also don't agree that "staple battery horse correct" is easy to remember, or was it "horse right nail battery"? I think I'll give up and write it on a post-it and stick it on my monitor. Besides, if we are going to use a different password for every account we own, how are we going to remember dozens of weird word-strings and how they are assigned to accounts? By the way, the x.500 system at the U recently informed me that my password is too easy to guess. This seems quite odd to me because it accepted it in the first place and the password consists of 9 characters that include digits, punctuation, upper-case and lower-case letters and do not form any sort of recognizable word or phrase. Mike