[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: One-line password generator

On Sat 02 Sep 2017 at 12:52:32 +0200, Thomas Schmitt wrote:

> Jude DaShiell wrote:
> > We have a 20 character password here with at least two of each kind of
> > symbol in it lowers uppers numbers and symbols.
> If you produced it by a quite random method then my only potential
> criticism would be the question how you memorize it without the risk
> that it gets stolen.
> (You should refuse to give any detail, of course.)
> The problem with memorizable passwords is usually (*) that they stem from
> a guessable base secret and then got modified by applying various good
> advise, but without losing their property to be easily memorized.
> This good advise is known to the attacker, too. The number of different
> such advised methods is then an obstacle for enumeration.
> The attacker has to try them, as he tries the guessable base secrets.
> But that number is not large, compared to affordable computing power.
> After all, one must be able to memorize the method which one used.
> So it must be quite simple. Simple means few variations.

I think you had a provider's compromised database in mind when you wrote
this. An attacker would be limited by his imagination and monetary and
time costs but, in the end, it could be assumed he would get something
out of it. The compromise is also not the user's responsibilty and it is
unfair to put the burden for mitigating it on him

Jude DaShiell's 20 character password is good enough for online logins
to web accounts. The provider should have some type of account lockout
in place for failed logins (Facebook and Twitter do this) and 10,000
tries per second would surely be seen as a DoS attack, if not.

Guessable? Is this the type of guessing done by friends, acquaintances
and close family members to try to get at your gmail or bank account?
That is more likely to succeed than the efforts of a criminal mind.

> (*) If you have a very unusual mindset, then your memorizable passwords
>     might be separate enough from the clusters of other people's memorizable
>     passwords. Attackers try the most rewarding guesses first.
>     If you are a plain memory genius:
>     Congrats. Make a good random password and be safe.

Random is excellent; write it down or use a password manager. Not so
random is less than excellent, but needn't be atrocious (a 20 character
password isn't) for an online login, memorable or not.


Reply to: