On 4/3/22 14:05, ghe2001 wrote:
Another password generator suggestion:
I'm 79 and memory isn't what it used to be, so I find those "secure" passwords
generated by computers to be less than optimal.
I use a system that I claim can't be hacked by a dictionary search and almost
certainly not by guessing, but will be easy to remember:
Think of a line or two from a relatively obscure play or poem or song that you
like. A while back, a woman I needed a pw for used lines from an aria in one
of Mozart's operas -- in Italian.
Just take the first letters of the words, case included, and all the
punctuation and stuff, and that's your pw. You may need to add a few numerals
to make the bank's pw checker happy. When you want to use it, run the line(s)
through your mind, and you remember the pw.
If anyone on this list knows why that won't work, I'd sure appreciate knowing
about it...
Mozart is famous enough that I expect transcripts of all of his works
exist. And, that algorithm is common. Generating a dictionary for the
pair is trivial; it's just a question of password length. I expect that
serious crackers already have such.
Using a unique and unpublished phrase or sentence would preclude
creating a dictionary. But, is there such a thing as a "unique and
unpublished phrase or sentence" and how do you remember it forever?
Given defenses such as fail2ban(8), a dictionary is usable only if the
attacker has obtained the salted password hash (e.g. /etc/shadow) and
can do the work offline.
That said, the stories I read usually cite credential stuffing or
phishing as the origin of breeches:
https://www.sentinelone.com/blog/7-ways-hackers-steal-your-passwords/
David
