One method is to take acronyms from your favorite hobby and string them together Example: NetBEUI CPU is 45GHz 14Kbps NetBEUICPUis45GHz14Kbps. 25 characters, upper and lower case and I'm going to guess random enough. Surely acronym's are different when it comes to a dictionary attack? Need to change it? Flip the order of the acronyms.
Personally I use a passphrase with correct punctuation - it gives upper case, lower case, and special character. These becomes frustrating when you go to a website that gives you something dumb like 12character maximum, in which case use the hobby acronym's. My $0.02 Dave From: Don Ely [mailto:[email protected]] Sent: Thursday, February 10, 2011 10:29 AM To: NT System Admin Issues Subject: Re: IPhone attack reveals passwords in six minutes I must not be human... Most of my high security accounts have passwords of 20+ random characters and I have them memorized... On Thu, Feb 10, 2011 at 10:25 AM, Ben Scott <[email protected]<mailto:[email protected]>> wrote: On Thu, Feb 10, 2011 at 12:31 PM, Matthew W. Ross <[email protected]<mailto:[email protected]>> wrote: >> If data is encrypted with strong crypto, and that crypto's secret >> key is not stored on the device, then that data can generally be >> considered safe even if the device is stolen. >> >> In English, that means if the security depends on a strong password >> the user must enter (and not on some magic the manufacturer has >> "hidden" inside the device), the password-protected data is safe. > > ... Isn't that only partially true? I mean, if the encrypted data is stolen, > isn't it reasonable to believe it can be cracked given enough time/cpu power? You're basically correct. Given good algorithms and implementations, the strength of your security depends on the strength of the key. If the password is an English word, then yah, it's going to be straightforward to crack in minutes or hours with a dictionary attack. If it's a a combination of words and other characters, it's harder, but still within reason for days, weeks, or months. Once you go to truly random characters, it's dependent on the length. But even 10 characters might be crackable in several years given commercially available technology. (I'm not up on current predictions, so numbers may be off for times.) A truly random 256-bit symmetric key could theoretically be cracked given enough time, but time to brute-force (given known technology) is generally given in billions of years. It has been theorized that new technology (especially "quantum computing") could drastically cut into that, but it remains to be seen if such things are actually possible or not. But 256 bits is a lot. Printable ASCII is roughly 96 characters. That fits in roughly six and a half bits. So your passcode would need to be around 40 characters long, and *completely* random (no words or patterns), for it to be in that neighborhood. It's not realistic to expect humans to do that. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
