Rabid Wombat wrote:
On Thu, 18 Apr 1996, Jon Leonard wrote:
The exception to this is when you may be overheard typing a password. The space bar sounds different, and an attacker who knows you've used a space has a significantly smaller search space.
So I usually recommend avoiding space, @, #, and control characters when generating passwords. Have I missed any or gotten too many?
Why would you want to avoid #, @, etc. ?
Space sounds different, # is sometimes backspace, @ is sometimes kill-line, and control characters often do strange things. Those are the only characters I avoid, though. For example, if you're using a teletype to change your password on a UNIX system (or it _thinks_ you _might_ be using one), and use a password of "O&]z@d#4", you've just set your password to "4". Control characters are worse: ^S to lock your terminal, ^D to disconnect -- no fun.
I have a hard enough time getting lusers to choose non-dictionary passwords that they can *remember* - one technique is to teach sub-100 i.q. types to use two words, seperated by a #,@, etc., with a number tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of being remembered without writing it on a sticky note and pasting it to the @#%&ing monitor.
It's hard. I'd really rather have longer pass{words,phrases} so that there's the potential for lots of entropy without requiring line-noise for passwords. Jon Leonard