On Thu, Mar 13, 2003 at 06:20:14AM -0500, Anthony E. Greene wrote: > There are password generators that can generate passwords that > consist of a combination of dictionary words and special characters, > eg. quick23walk.
I use a utility called mnencode this way: $ head -c 4 /dev/random | mnencode And get three word long results like: iris-farmer-benny or person-london-multi or jumbo-joker-basil Reasonably easy to type and remember, yet a significant 32-bits of entropy--far better than most passwords. (Enough for circumstances where you don't have a motivated foe with the opportunity to brute force it--a non-readable /etc/shadow is your friend here.) To find mnencode see <http://www.tothink.com/mnemonic/>. It is really a carefully crafted word list and two complementary programs, mnencode which turns binary data into words intended to be pronouncable, spellable, and unambiguous, and mndecode which turns those words back into that exact binary data. To move offtopic, for really paranoid security, such as the passphrase on the private half of a public/private key pair, you can do: $ head -c 16 /dev/random | mnencode And you get 128-bits worth of entropy as, for example: algebra-mask-armor--jester-cupid-fossil secure-detail-barcode--gray-judo-safari Take out the new line, put in single dashes throughout, and you have a long passphrase that is really secure. But it turns out that a passphrase with 128-bits of entropy is pretty unwieldy. It gets hard to remember (was it jester or joker?, secure or secured?, etc), and it is suprisingly hard to type blind. I use exactly one such passphrase (that I don't type on open wires or keyboards I don't control), but I do use it to encode my other passwords. -kb P.S. A passphrase with 128-bits of entropy is enough that even a very powerful and motivated foe will not be able to bruteforce it any time soon--if ever--and will instead resort to bugging your keyboard, hiding a camera over your keyboard, sniffing RF-emissions, rubberhose cryptanalysis, etc. For example, suppose the NSA really wants your key and can try a trillion possibilities a second, it would still take, on average, over 3-months crack a 64-bit passphrase--which is well within their abilities if they are really interested. However, a 128-bit passphrase is about 18,442,589,569,024,000,000 times as difficult as that, something even the NSA can't accomplish. Note that this is for a symmetric key, public keys work different and need to be much longer for equivalent strength. A 4K bit public key can be manipulated pretty easily by computers these days and is likely extremely strong--depending upon possible breakthroughs in factoring numbers or building quantum computers. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
