Mike Pinkerton wrote: > On 6 Mar 2015, at 23:49, Adam Williamson wrote: > > On Fri, 2015-03-06 at 23:09 +0100, Björn Persson wrote: > >> I hope https://xkcd.com/936/will be among the inputs to that > >> discussion. > > > > I'm fond of noting that pwquality has not yet blacklisted any variant > > of correcthorsebatterystaple. I've been using correcthorse as my stock > > anaconda testing password, since the strength check has been > > enforced... > > It won't stand up to a combinator attack: > > <https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html>
It's not entirely clear, but I guess you mean that a two-word combination like "correct horse" won't stand up. That appears to be true. A four-word phrase is an entirely different matter. Each additional word increases the complexity exponentially, so doubling the number of words squares the number of possible combinations. The catch is that the words must be *randomly* chosen. XKCD doesn't stress that point much, and humans are notoriously bad at choosing randomly. I suspect that many people make up some highly nonrandom four-word passphrase and think they have a "correct horse battery staple"-quality passphrase. Björn Persson
pgp10lWlTGRHZ.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
