Re: One-line password generator

To: debian-user@lists.debian.org
Subject: Re: One-line password generator
From: Brian <ad44@cityscape.co.uk>
Date: Wed, 23 Aug 2017 18:11:58 +0100
Message-id: <[🔎] 23082017175743.5a54bfbfb93a@desktop.copernicus.org.uk>
In-reply-to: <[🔎] 27eaa25d-cde0-cc63-1c4f-c65777ea4ef2@riseup.net>
References: <[🔎] b74f190e-0aa9-93db-2275-2122c91373e1@yandex.com> <[🔎] 22082017204205.3ca88337d6d1@desktop.copernicus.org.uk> <[🔎] ad824c06-effe-665c-458c-03eef09ab122@yandex.com> <[🔎] 20170822223158.GB15649@copernicus.org.uk> <[🔎] 27eaa25d-cde0-cc63-1c4f-c65777ea4ef2@riseup.net>

On Wed 23 Aug 2017 at 09:11:15 +0900, Lck Ras wrote:

> On 08/23/2017 07:31 AM, Brian wrote:
> > On Tue 22 Aug 2017 at 15:14:37 -0500, Mario Castelán Castro wrote:
> > You can recommend what you want but give me
> > 
> >  IhaveaMemorablePasswordwhichIwillnotforget!
> > 
> > as opposed to
> > 
> >  WVAq7XLM4va6e1A4Bb4+Zw
> > 
> > You will now explain why the first one will be broken in the next
> > 100 years. I'm past caring after that.
> 
> The problem with that kind of password generation is that it leaks in
> unexpected ways, and it can be hard to understand how much it matters.
> 
> When you know nothing about a password, it can be quite hard to guess,
> but as you reveal more information about it and its construction (max
> length, character set, format, etc.) it becomes easier and easier.
> 
> With randomly generated passwords, you still have an easy-to-understand
> "hard limit" on how easy it will be to guess, unless you start leaking
> individual characters of it, even if you reveal how the password is
> constructed.
> 
> In the other hand, with passwords like the ones you described, it can be
> quite difficult to gauge how hard it is to guess, and how much you can
> reveal about it before it being unsafe.

You should never reveal how your passwords are generated. In detail,
that is; in principle there might be no harm done.
 
> Eg. knowing that you create your passwords like that can make it
> significantly easier for someone else to guess your password, which
> could potentially be dangerous, especially if done by someone who knows
> you well.

Agreed. Account passwords being guessed can surely only happen when the
account owner is known to the perpetrator.
 
> I personally use diceware, which is relatively memorable and secure
> enough. Revealing the fact that I use diceware makes guessing my
> passwords significantly easier, but it still is very far in the
> "impossible" territory.
> 
> I don't think leaving your passwords up to chance is a good idea. You
> should know, not guess, whether it is safe or not.

How does one know

 MyDogHasNoNose.HowDoesItSmell?Terrible!

(old jokes are vey memorable) is a safe password?

-- 
Brian.

Reply to:

Follow-Ups:
- Re: One-line password generator
  - From: Lck Ras <likcoras@riseup.net>

References:
- One-line password generator
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: Mario Castelán Castro <marioxcc.MT@yandex.com>
- Re: One-line password generator
  - From: Brian <ad44@cityscape.co.uk>
- Re: One-line password generator
  - From: Lck Ras <likcoras@riseup.net>

Prev by Date: Re: One-line password generator
Next by Date: Re: Package postgresql-9.6 is not configured yet
Previous by thread: Re: One-line password generator
Next by thread: Re: One-line password generator
Index(es):
- Date
- Thread