I have always told new users the following guideline for selecting a password, and I still believe that this rule is better than any I have seen elsewhere so far. I call it the "collision bet guideline". Select your password such that you can comfortably bet your life on that nobody in the history of computing has ever or will ever come up with the same one. Since human brains all work rather similar, the best attack dictionary is the list of all passwords that have ever been invented by people with a similar cultural background as the target. For those passwords where personal data was used to generate it (names, dates, etc.), the algorithm to generate the password is entered into the dictionary in addition. After archiving other people's remote logins for over twenty years, the SIGINT folks (and more recently also some larger ISPs) should have excellent statistics for doing efficient password guessing attacks. Markus -- Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>
