Brian wrote: > Bob Proulx wrote: > > Brian wrote: > I am still going to maintain that "TwasBrilligAndTheSlithyToves" is a > more than adquate password for logging in *on-line*. If I were to lack > trust in the maintenence of security at a site I might consider a change > of heart. But then - what would I base my judgement on. apart from the > theoretcal possibility? > > > I won't say that the technique you show above is a bad thing. But the > > current wisdom is that it isn't good enough anymore because after > > analyzing millions of real world passwords, programs can now guess > > what humans will do much of the time. So what you really need is > > something other than what a human would produce. > > We are still on off-line cracking? How does this sound? Oops. You caught me. Everyone else continued to talk about offline cracking and I had pretty much given up and lost track of the topic. But you were specifically said online and emphasized it. My bad. Although I was trying to address specifically the trust in site security. It is only a matter of time before a high profile site is so mired in its own bureaucracy that they lose track of its own security and expose this information. Historically speaking. But the original poster was talking about a personal Debian system. For a personal system one could probably get away with using a pretty weak password. Your password method would be a pretty strong one for a personal system. If the system is compromised to the point that /etc/shadow with the hashes exposed for an offline attack then you should scrape it clean and install from known good pristine sources and start again using all different passwords than before. The weak password wouldn't have been the problem in that case. The attack could only have only have come through some other vector into the machine. Bob P.S. Before leaving remote web sites entirely behind... Most important is to use a unique password per site. Then using a strong password only if I care about having that data cracked. I use my fair share of weak throwaway passwords on weak throwaway sites. But I never reuse them across sites.
Attachment:
signature.asc
Description: Digital signature