[SOT] {FWD} [Dailydave] Don't use vowels in passwords! (fwd)
Lars Luthman
mail at larsluthman.net
Tue Nov 12 08:36:03 PST 2013
On Tue, 2013-11-12 at 11:00 -0500, David Vorick wrote:
> https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html
>
> The xkcd comic doesn't really apply anymore. Dictionary attacks have gotten
> to the point where they can crack 'momof3g8kids' and 'Coneyisland9/,'
It still applies. It says in the small print that it assumes online
attacks against a remote service, and for that threat model 44 bit
passwords are probably good enough. If you want protection against
offline attacks, which you probably want most of the time, you just need
to pick more words.
> and apparently have dictionaries breaking 100 million words. As password
> attacks get better and better at predicting human patterns (and hardware
> gets faster), you are going to need to completely generate your passwords
> at random in order to defend against dictionary attacks.
You should always do that anyway since it's the only way to know the
minimum strength of your password in bits. The XKCD or Diceware method
can be used to generate memorable passwords up to 80 - 120 bits or so,
which should be good enough for a while still as long as login services
don't stupidly limit the passphrase lengths.
--ll
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131112/617931a9/attachment-0001.sig>
More information about the cypherpunks
mailing list