Em 28-06-2014 20:25, Stuart Henderson escreveu: > 1. maybe they did, in which case you don't want to make a stolen crypted > password file any easier to use Of course not. But if someone root any of my machines, I would assume that password compromised. And never, ever, use that again. > > 2. "average user" -> OK so it's off the subject line of "root's password", > but the xkcd article is talking about average users - and the most common > case is probably passwords for websites. I use unique addresses for various > websites so I can identify some leaked account details. There have been > enough email addresses lost (online stores, forums, an estate agent given > the address on paper only, even a bank) and I will assume that for many > of those passwords (in whatever form they were stored, which I assume in > many cases is "plaintext" or "unsalted mdt") that I don't trust any website > with more than a one-off password used only for that site, which is not > memorable so basically means keeping them somewhere (offline or in a file > with reversible encryption), and if you're doing that anyway you might as > well use fully random strings. Same technique here. If you take a look at the most recent password breaches, most companies don't do their job right. The Linkedin case is one of the most recent that come to my mind.
> That meme has to die - why would wordlists only be in English? They aren't. That does not mean that an attacker will have wordlists in all foreign languages. I, for example, am a Brazilian Portuguese speaker, so I can mix some very obscure words with accents and render wordlists mostly unusable. > There's nothing particularly modern about handling substitutions like > a/@, e/3, 1/l, 7/t etc in words, though of course using a wide set of > symbols in a fully random string does increase entropy quite a lot > for a given string length. > Yes, that is true. I was searching on password strengths and (re)found this article from Bruce Schneier, from earlier this year: https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html He specifically debunks the xkcd comic stript. But the discussion that follows is interesting. Anyway, combining methods seem to be a great way to get a good password. Other than a completely random one, of course. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
