The one password they could never divine is \epsilon\epsilon. Two empty strings in a row. Now I can see how some of you might object that it's then just one empty string in whole. I disagree: whoever told you passwords have to obey normal monoidal string axioms? Quite certainly arbitrary amounts of non-visible, un-greppable, in-representable void between and on characters *will* prove an un-stoppable counter-measure. https://xkcd.com/936/ Truth be told, every *nix installation really should have available 1) a commonly available dictionary, 2) a true/hard randomness source (don't go there), 3) an easily usable means of combining your own off-the-cuff source of randomness with whatever you get from your hardware, 4) a cryptographically speaking hard mixing function, and 5) a stupid-as-fuck freeware utility to fold all of that into an XKCD-hard password. Preferably the lot residing in its hard parts on your Android device's tamper-resistant whatchamathinga, with open interfaces and a dozen or so independent implementations of each part. Of course you can attack something like that. Duh. But compared to what we have now, it'd be a total hoot. -- Sampo Syreeni, aka decoy - decoy@iki.fi, http://decoy.iki.fi/front +358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2