Brian wrote: > Seeing that my argument that enforcing (if it is possible) an > unmemorable password is not in the best interests of security doesn't > gain any tracton, let me try a different tack. > > The password > > TwasBrilligAndTheSlithyToves > > strikes me as a pretty good one for an ssh login. (I have capitalised > some letters for readability, not to add complexity). Personally, I find > it easy to remember and associate with ssh and my account. I cannot see > why it is not a good password for me. Why passwords have never been weaker—and crackers have never been stronger http://arstechnica.com/security/2012/08/passwords-under-assault/ Most importantly, a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease. To summarize the problem it is that you as a human are unique in the universe, just like everyone else. Analyzing 100 million passwords exposes the human bias that you introduce that you don't realize you are introducing. It is "big data" removing the uniqueness and reducing the search space. I won't say that the technique you show above is a bad thing. But the current wisdom is that it isn't good enough anymore because after analyzing millions of real world passwords, programs can now guess what humans will do much of the time. So what you really need is something other than what a human would produce. Bob
Attachment:
signature.asc
Description: Digital signature