Re: One-line password generator

On Sat, Sep 02, 2017 at 09:33:10AM -0500, Mario Castelán Castro wrote: > On 01/09/17 22:33, Zenaan Harkness wrote: > > I am not mathematically literate enough to even properly parse that > > sentence! > > Here (and through the rest of your message) you are admitting that you > do not understand

Re: One-line password generator

On Sat 02 Sep 2017 at 20:58:13 +0200, Thomas Schmitt wrote: > Brian wrote: > > I think you had a provider's compromised database in mind when you wrote > > this. > > Yes. That's the way how an attacker can get the biggest harvest > and also the risk which you cannot influence from remote. True.

Re: One-line password generator

Hi, Brian wrote: > I think you had a provider's compromised database in mind when you wrote > this. Yes. That's the way how an attacker can get the biggest harvest and also the risk which you cannot influence from remote. > An attacker would be limited by his imagination and monetary and >

Re: One-line password generator

e: One-line password generator Resent-Date: Sat, 2 Sep 2017 17:11:08 + (UTC) Resent-From: debian-user@lists.debian.org On Sat 02 Sep 2017 at 12:52:32 +0200, Thomas Schmitt wrote: Jude DaShiell wrote: We have a 20 character password here with at least two of each kind of symbol in it lowers

Re: One-line password generator

On Sat 02 Sep 2017 at 12:52:32 +0200, Thomas Schmitt wrote: > Jude DaShiell wrote: > > We have a 20 character password here with at least two of each kind of > > symbol in it lowers uppers numbers and symbols. > > If you produced it by a quite random method then my only potential > criticism

Re: One-line password generator

On 01/09/17 22:33, Zenaan Harkness wrote: > On Fri, Sep 01, 2017 at 09:38:14PM -0500, Mario Castelán Castro wrote: >> No. Entropy is the appropriate word. Please recall that “entropy” is >> just a different scale > > Use of the word "scale" is one example of things that lead people to > use loose

Re: One-line password generator

Hi, Jude DaShiell wrote: > We have a 20 character password here with at least two of each kind of > symbol in it lowers uppers numbers and symbols. If you produced it by a quite random method then my only potential criticism would be the question how you memorize it without the risk that it gets

Re: One-line password generator

that this would be effective, but it does seem plausible. On Fri, 1 Sep 2017, Thomas Schmitt wrote: Date: Fri, 1 Sep 2017 17:44:09 From: Thomas Schmitt <scdbac...@gmx.net> To: debian-user@lists.debian.org Subject: Re: One-line password generator Resent-Date: Fri, 1 Sep 2017 21:44:44 +000

Re: One-line password generator

On 01/09/17 18:43, Zenaan Harkness wrote: > (Probably obvious, but as long as you're reading from urandom, > "entropy" is the wrong word, in this context, better to say "128 bits > of crytographically secure numbers" as that which has been said e.g. > by the Linux kernel urandom developers as

Re: One-line password generator

On Fri, Sep 01, 2017 at 09:38:14PM -0500, Mario Castelán Castro wrote: > On 01/09/17 18:43, Zenaan Harkness wrote: > > (Probably obvious, but as long as you're reading from urandom, > > "entropy" is the wrong word, in this context, better to say "128 bits > > of crytographically secure numbers" as

Re: One-line password generator

On Fri, Sep 01, 2017 at 08:46:33PM +0100, Brian wrote: > On Fri 01 Sep 2017 at 09:58:19 -0500, Mario Castelán Castro wrote: > > > On 22/08/17 10:04, Mario Castelán Castro wrote: > > > I have the following line in my Bash init file: > > > > > > “alias gen-password="head -c 16 /dev/urandom |

Re: One-line password generator

On Fri, Sep 01, 2017 at 09:58:19AM -0500, Mario Castelán Castro wrote: > On 22/08/17 10:04, Mario Castelán Castro wrote: > > I have the following line in my Bash init file: > > > > “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"” > > > > This generates a password with

Re: One-line password generator

Hi, Brian wrote: > Here is a password > F!Vz5s19WuXa61PaA"+5 > Where does the password come from? It doesn't matter. But that's the cardboard backplane of the passwords which a human brain can memorize: They have an origin or a memory hook. Long passwords from a good random number generator

Re: One-line password generator

On Fri 01 Sep 2017 at 09:58:19 -0500, Mario Castelán Castro wrote: > On 22/08/17 10:04, Mario Castelán Castro wrote: > > I have the following line in my Bash init file: > > > > “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"” > > > > This generates a password with

Re: One-line password generator

On 22/08/17 10:04, Mario Castelán Castro wrote: > I have the following line in my Bash init file: > > “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"” > > This generates a password with just above 128 bits of entropy. You may > find it useful. A slight

Re: One-line password generator

Hi, i forgot to emphasize that each user should generate an own salt value by $ python >>> bcrypt.gensalt(16) '$2a$16$MS6A6ZrsJ30ZdqHVCMWMm.' and put it into the bcrypt call of bcryptedpw.py p = bcrypt.hashpw(userpw, '$2a$16$MS6A6ZrsJ30ZdqHVCMWMm.')[-31:] If many users would use the

Re: One-line password generator

Hi, i made a test program from the SHA512 function of libjte, which stems from GNU C Library version 2.7 and is used for Jigdo ISOs. A loop of 10 million calls with a text of 80 characters, compiled -O2, ends after 4.088 seconds. That's about 2 exp 23 times faster than python-bcrypt with 2 exp 16

Re: One-line password generator

Hi. On Thu, Aug 31, 2017 at 08:00:54PM +0100, Brian wrote: > On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote: > > > On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote: > > 'Us'? Do not speak for all the list please. > > It is a construct; intended to involve everyone in the

Re: One-line password generator

> From: a...@cityscape.co.uk > To: debian-user@lists.debian.org > > On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote: > >> On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote: >> "Us"? Do not speak for all the list please. > > It is a construct; intended to involve everyone in the conversation.

Re: One-line password generator

On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote: > On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote: > 'Us'? Do not speak for all the list please. It is a construct; intended to involve everyone in the conversation. > Admit that you just did not read the pdf. It is not concerned with

Re: One-line password generator

Hi, Brian wrote: > the crackers would likely not be in possession of a leaked password > (Uld4dFpYSkdkV1J3ZFdOclpYSUsK) but of a hash of it. That's why i did not claim to be able to decipher such things but rather mentioned that the name is celebrity enough to be quickly enumerated. The next two

Re: One-line password generator

On Wednesday 30 August 2017 10:25:00 Thomas Schmitt wrote: > Hi, > > i wrote: > > > The reason why this is still not fully reflected by the man page > > > is not yet uncovered. > > Gene Heskett wrote: > > Maybe a wee bit of security by obscurity? There is that I think in > > everyones thinking

Re: One-line password generator

On Wed 30 Aug 2017 at 15:47:35 +0200, Thomas Schmitt wrote: > Gene Heskett wrote: > > Well, that easy to remember method just went down in flames. Sigh... > > That's the first diffuse but significant wisdom we found in this thread: > > If you can memorize it without the help of publicly

Re: One-line password generator

On Wednesday 30 August 2017 10:07:09 Greg Wooledge wrote: > On Wed, Aug 30, 2017 at 09:57:34AM -0400, Gene Heskett wrote: > > On Wednesday 30 August 2017 09:47:35 Thomas Schmitt wrote: > > > The reason why this is still not fully reflected by the man page > > > is not yet uncovered. > > > > Maybe

Re: One-line password generator

Hi, i wrote: > > If you can memorize it without the help of publicly knowable details of > > your life, then it's too easy to enumerate with nowadays' hardware. Curt wrote: > He should've salted it a little. Sure. I also did not "crack" it by enumeration but by base64 -d after recognizing the

Re: One-line password generator

On 2017-08-30, Thomas Schmitt wrote: > Hi, > > Gene Heskett wrote: >> Well, that easy to remember method just went down in flames. Sigh... > > That's the first diffuse but significant wisdom we found in this thread: > > If you can memorize it without the help of publicly

Re: One-line password generator

Hi, i wrote: > > The reason why this is still not fully reflected by the man page is > > not yet uncovered. Gene Heskett wrote: > Maybe a wee bit of security by obscurity? There is that I think in > everyones thinking on this subject. They don't want to price the farm > so cheap that it will

Re: One-line password generator

On Wed, Aug 30, 2017 at 09:57:34AM -0400, Gene Heskett wrote: > On Wednesday 30 August 2017 09:47:35 Thomas Schmitt wrote: > > The reason why this is still not fully reflected by the man page is > > not yet uncovered. > > Maybe a wee bit of security by obscurity? Or you're not reading the

Re: One-line password generator

On Wednesday 30 August 2017 09:47:35 Thomas Schmitt wrote: > Hi, > > Gene Heskett wrote: > > Well, that easy to remember method just went down in flames. > > Sigh... > > That's the first diffuse but significant wisdom we found in this > thread: > > If you can memorize it without the help of

Re: One-line password generator

Hi, Gene Heskett wrote: > Well, that easy to remember method just went down in flames. Sigh... That's the first diffuse but significant wisdom we found in this thread: If you can memorize it without the help of publicly knowable details of your life, then it's too easy to enumerate with

Re: One-line password generator

On Wednesday 30 August 2017 09:09:49 Thomas Schmitt wrote: > Hi, > > > I hereby challenge this group to crack this passwd: > > Uld4dFpYSkdkV1J3ZFdOclpYSUsK > > Without the claim to be able to do this again: > > By enumerating the name "Elmer Fudpucker" (obviously known to the > internet) and

Re: One-line password generator

Hi, > I hereby challenge this group to crack this passwd: > Uld4dFpYSkdkV1J3ZFdOclpYSUsK Without the claim to be able to do this again: By enumerating the name "Elmer Fudpucker" (obviously known to the internet) and applying base64 twice: $ echo "ElmerFudpucker" | base64 | base64

Re: One-line password generator

On Wednesday 30 August 2017 08:11:05 Greg Wooledge wrote: > On Wed, Aug 30, 2017 at 11:47:24AM +1000, Zenaan Harkness wrote: > > They don't. You ought not use /dev/urandom for key generation, use > > /dev/random instead. > > The Linux man page disagrees with you. From Debian 9 urandom(4): > >

Re: One-line password generator

On Wed, Aug 30, 2017 at 11:47:24AM +1000, Zenaan Harkness wrote: > They don't. You ought not use /dev/urandom for key generation, use > /dev/random instead. The Linux man page disagrees with you. From Debian 9 urandom(4): The /dev/random device is a legacy interface which dates back to a

Re: One-line password generator

Hi, Curt wrote: > How about TawnyLoveRockefellerIII? Expect to get mails like: "Your money account at Blingstergirl.com is empty. Please send 1 million $ and some swimwear photos of you to prove your identity." Have a nice day :) Thomas

Re: One-line password generator

Hi, Zenaan Harkness wrote: > Once again: QUOTE THE ARTICLE!!! Ouch my eyes. You shout. If the article puts one of its key statements into a diagram, then i cannot quote that directly as text, but only re-narrate it. > Then, QUOTE ME. > quote PRECISELY I did this in many lines. Without

Re: One-line password generator

On 2017-08-29, Thomas Schmitt wrote: > >> Ok, they have to start somewhere - it might as well be you. :) > > Never choose a username that looks like money or sexual exploitability. How about TawnyLoveRockefellerIII? -- "Time flies like an arrow. Fruit flies like a banana."

Re: One-line password generator

On Tue, Aug 29, 2017 at 02:52:10PM +0200, Thomas Schmitt wrote: > Hi, > > Andy Smith wrote: > > https://www.2uo.de/myths-about-urandom/#experts > > So it is about how Daniel Bernstein justifies his claim that it is > wrong to say: > > "we can't figure out how to deterministically expand one

Re: One-line password generator

On Tue, Aug 29, 2017 at 02:28:01PM +0200, Thomas Schmitt wrote: > Hi, > > now it's not about information technology any more but about math and the > difficulty to properly discuss a mathematical opinion. > > > Zenaan Harkness wrote: > > Which myth? > > The one denounced by Thomas Huehn's

Re: One-line password generator

Hi. On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote: > On Tue 29 Aug 2017 at 22:29:41 +0300, Reco wrote: > > > Hi. > > > > On Tue, Aug 29, 2017 at 08:14:59PM +0100, Brian wrote: > > > On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote: > > > > > > > Brian wrote: > > >

Re: One-line password generator

Hi, Brian wrote: > They would never have got to >my!only"reason£for$living%is^ebay Unless some group of people is caught with using this scheme. Of course the attacker needs more computing power than with a camelback style text that bears no separators out of a set with a few dozen

Re: One-line password generator

On Tue 29 Aug 2017 at 22:29:41 +0300, Reco wrote: > Hi. > > On Tue, Aug 29, 2017 at 08:14:59PM +0100, Brian wrote: > > On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote: > > > > > Brian wrote: > > > > I do not have to run faster than the bear, just faster than anyone else. > > >

Re: One-line password generator

Hi. On Tue, Aug 29, 2017 at 08:14:59PM +0100, Brian wrote: > On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote: > > > Brian wrote: > > > I do not have to run faster than the bear, just faster than anyone else. > > (Analogies never work. Remind me not to use them again). > > >

Re: One-line password generator

On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote: > Brian wrote: > > I do not have to run faster than the bear, just faster than anyone else. (Analogies never work. Remind me not to use them again). > According to the article about the successful cracking, it is not so much > about

Re: One-line password generator

Hi, Andy Smith wrote: > https://www.2uo.de/myths-about-urandom/#experts So it is about how Daniel Bernstein justifies his claim that it is wrong to say: "we can't figure out how to deterministically expand one 256-bit /dev/random output into an endless stream of unpredictable keys (this

Re: One-line password generator

Hi, now it's not about information technology any more but about math and the difficulty to properly discuss a mathematical opinion. Zenaan Harkness wrote: > Which myth? The one denounced by Thomas Huehn's article. Saying that /dev/random gets fed directly from the entropy pool:

Re: One-line password generator

Hello, On Tue, Aug 29, 2017 at 12:40:48PM +0200, Thomas Schmitt wrote: > Originally Curt wrote: > > > > https://www.2uo.de/myths-about-urandom > > Zenaan Harkness wrote: > > Really great myth-debunking article > > Up to now i found no credible expert opinion which would clearly > contradict it.

Re: One-line password generator

On Tue, Aug 29, 2017 at 12:40:48PM +0200, Thomas Schmitt wrote: > Hi, > > Zenaan Harkness wrote: > > I should have wrote "/dev/random should be treated as though it is > > the input feed to /dev/urandom" (sorry about that). > > But that it isn't. The myth model says that it would be. Which

Re: One-line password generator

Hi, Zenaan Harkness wrote: > I should have wrote "/dev/random should be treated as though it is > the input feed to /dev/urandom" (sorry about that). But that it isn't. The myth model says that it would be. But the other quite credible info says that its output stems from the pseudo random

Re: One-line password generator

On Tue, Aug 29, 2017 at 06:49:45PM +1000, Zenaan Harkness wrote: > I stated: > > > https://www.2uo.de/myths-about-urandom/structure-yes.png > > > > The new situation as stated in > > > https://www.2uo.de/myths-about-urandom/structure-new.png > > > > I always thought (even pre- Kernel 4.8)

Re: One-line password generator

I stated: > > https://www.2uo.de/myths-about-urandom/structure-yes.png > > The new situation as stated in > > https://www.2uo.de/myths-about-urandom/structure-new.png > > I always thought (even pre- Kernel 4.8) that structure-new was how it > worked. But on the other hand, it's just a

Re: One-line password generator

On Tue, Aug 29, 2017 at 09:06:07AM +0200, Thomas Schmitt wrote: > Hi, > > Zenaan Harkness wrote: > > AIUI /dev/random is simply the input feed to /dev/urandom [...] I should have wrote "/dev/random should be treated as though it is the input feed to /dev/urandom" (sorry about that). > This is

Re: One-line password generator

Hi, Zenaan Harkness wrote: > AIUI /dev/random is simply the input feed to /dev/urandom [...] This is what the article by Thomas Huehn https://www.2uo.de/myths-about-urandom/ calls a myth, illustrated by diagram https://www.2uo.de/myths-about-urandom/structure-no.png Andy Smith stated in

Re: One-line password generator

On Mon, Aug 28, 2017 at 12:04:51PM +0200, Thomas Schmitt wrote: > Hi, > > Curt wrote: > > Here's a fresh (20 July of this year) view by Theodore Ts'o: > > https://lkml.org/lkml/2017/7/20/993 > > An opinion of substantial weight, indeed. > > Nevertheless it would be more interesting to learn the

Re: One-line password generator

Hi, i wrote: > > I understand that in this situation there is no difference > > between /dev/random and /dev/urandom. > > The difference appears only when the assumption of wealth is not fulfilled. Andy Smith wrote: > It cannot be "not fulfilled" except in the very early boot sequence. Well,

Re: One-line password generator

Hello, On Mon, Aug 28, 2017 at 12:04:51PM +0200, Thomas Schmitt wrote: > And again, the argumentation of Theodore is that there is always enough > entropy at hand. I understand that in this situation there is no difference > between /dev/random and /dev/urandom. > The difference appears only when

Re: One-line password generator

Hi, Curt wrote: > Here's a fresh (20 July of this year) view by Theodore Ts'o: > https://lkml.org/lkml/2017/7/20/993 An opinion of substantial weight, indeed. Nevertheless it would be more interesting to learn the reason why Linux did not simply make /dev/random behave like /dev/urandom long

Re: One-line password generator

On 2017-08-28, Thomas Schmitt wrote: > > But i myself have two use cases for (pseudo-)random numbers: > - Small but hard secrets which i need for security purposes. > - 3 times 25 GB of random stream to surely shake up the bits on a BD-RE > medium which previously contained

Re: One-line password generator

Hi, Andy Smith wrote: > The relevant Linux man pages were > recently updated to clarify that once seeded, /dev/urandom is > sufficient for any use > [...] > https://bugzilla.kernel.org/show_bug.cgi?id=71211 Maybe there are stronger reasons to abandon /dev/random. But that thread states as only

Re: One-line password generator

Hello, On Sun, Aug 27, 2017 at 09:05:41PM +0200, Thomas Schmitt wrote: > Curt wrote: > > So this is wrong: > > https://www.2uo.de/myths-about-urandom/ > > Dunno. I took my info from the man page. The article at 2uo.de is correct. The relevant Linux man pages were recently updated to clarify

Re: One-line password generator

Hi, Brian wrote: > I do not have to run faster than the bear, just faster than anyone else. According to the article about the successful cracking, it is not so much about how fast you are. The bear will not stop when it is done with eating those behind you. It is rather about not to walk the

Re: One-line password generator

Hi, Curt wrote: > So this is wrong: > https://www.2uo.de/myths-about-urandom/ Dunno. I took my info from the man page. This article is, at least at its beginnings, very affirmative and fewly equipped with supporting facts. Mainly "Believe Me !". The author is a proselyte of urandom, as he

Re: One-line password generator

On Sun 27 Aug 2017 at 17:08:16 +0200, Thomas Schmitt wrote: > Hi, > > i wrote: > > > Quite hard > > > to guess would be if you replace sha256sum by an encryption program with > > > a key which you successfully keep secret. > > Brian wrote: > > Increasing difficulty in this way looks good to me.

Re: One-line password generator

On 2017-08-27, Thomas Schmitt wrote: > > > If your password is not that strong, then you are probably better off with > Mario Castelán Castro's approach modified by use of /dev/random instead of > /dev/urandom. > https://lists.debian.org/debian-user/2017/08/msg01260.html > >

Re: One-line password generator

On 27/08/17 08:55, Brian wrote: > Thank you for the detailed explanation. I had already come to some of > the conclusions in your account but it is good to have them firmly and > succinctly laid out. You are welcome. -- Do not eat animals, respect them as you respect people.

Re: One-line password generator

Hi, i wrote: > > Quite hard > > to guess would be if you replace sha256sum by an encryption program with > > a key which you successfully keep secret. Brian wrote: > Increasing difficulty in this way looks good to me. Thanks. I would most > certainly hope I could keep the key secret. Now you

Re: One-line password generator

On Sat 26 Aug 2017 at 21:14:35 -0500, Mario Castelán Castro wrote: > On 26/08/17 13:25, Brian wrote: > > How does this > > > > echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1 > > > > compare with your recommendation? > > I do not see the point in this post-processing. > >

Re: One-line password generator

On Sat 26 Aug 2017 at 21:15:37 +0200, Thomas Schmitt wrote: > Hi, > > Brian wrote: > > echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1 > > The quality criterion is the ease or difficulty to guess the 'secretpassword' > by a skilled enumerator and the fact whether your

Re: One-line password generator

On Sat 26 Aug 2017 at 20:07:34 +0100, Brian wrote: > On Sat 26 Aug 2017 at 20:37:01 +0200, Nicolas George wrote: > > > Le nonidi 9 fructidor, an CCXXV, Brian a écrit : > > > echo 'secretpassword' | > > > > echo 'secretpassword site-name' > > > > > sha256sum - | base64 > >

Re: One-line password generator

On 26/08/17 13:25, Brian wrote: > How does this > > echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1 > > compare with your recommendation? I do not see the point in this post-processing. It seems that you have a very wrong impression of what makes a password generation

Re: One-line password generator

Hi, Brian wrote: > echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1 The quality criterion is the ease or difficulty to guess the 'secretpassword' by a skilled enumerator and the fact whether your attacker knows the rest of your processing pipeline. If your secretpassword

Re: One-line password generator

On Sat 26 Aug 2017 at 20:37:01 +0200, Nicolas George wrote: > Le nonidi 9 fructidor, an CCXXV, Brian a écrit : > > echo 'secretpassword' | > > echo 'secretpassword site-name' > > >sha256sum - | base64 > > Very bad: since sha256sum outputs its result in hexadecimal, it

Re: One-line password generator

Le nonidi 9 fructidor, an CCXXV, Brian a écrit : > echo 'secretpassword' | echo 'secretpassword site-name' > sha256sum - | base64 Very bad: since sha256sum outputs its result in hexadecimal, it only has half the entropy it seems to have. The same thing with Perl's

Re: One-line password generator

On Tue 22 Aug 2017 at 10:04:59 -0500, Mario Castelán Castro wrote: > I have the following line in my Bash init file: > > “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"” > > This generates a password with just above 128 bits of entropy. You may > find it useful. How

Re: One-line password generator

On 25/08/17 13:44, Thomas Schmitt wrote: >> I will justify my claim of incompetence. > > So that it does not look like an intentional insult ? This is plain and simply my reason is to avoid further discussion about cryptography with you. I did not write this with the purpose of making an

Re: One-line password generator

On 25/08/17 12:15, Thomas Schmitt wrote: >> Also, the theoretical vulnerability described in that man page is far >> fetched. > It is a mathematical fact. If you take a few theoretically unpredictable > bits and inflate them to 128 bits, then the added size is no entropy, > although it might be

Re: One-line password generator

On 25/08/17 12:11, Brian wrote: >> Unless you have a good reason to think otherwise (e.g. *you* manage the >> web site and you know you are doing a good job), you should assume that >> the data-base with hashes passwords will leak without the system >> administrators noticing, and then an attack

Re: One-line password generator

On 25/08/17 11:51, Brian wrote: > However, users use passwords to log into accounts *online* and those > passwords are devised to withstand an *online* attack (of 100 tests per > second maximimum(?)). This is the only aspect a user can completely > control and many make a good job of it. Passwords

Re: One-line password generator

Hi, > You say that pseudo-random number generators can not add entropy and > this is a mathematical fact. This is true, and irrelevant. > [... > lots of algebraic terms about the difficulty to revert the > mapping which produces the pseudo-random redundancy > ...] The attack described in the

Re: One-line password generator

On Fri 25 Aug 2017 at 12:14:18 -0500, Mario Castelán Castro wrote: > On 25/08/17 12:11, Brian wrote: > >> Unless you have a good reason to think otherwise (e.g. *you* manage the > >> web site and you know you are doing a good job), you should assume that > >> the data-base with hashes passwords

Re: One-line password generator

On 25/08/17 09:46, Thomas Schmitt wrote: > Mario Castelán Castro wrote: >> In principle, yes, but in practice, not at all. File compressors [...] > > I wrote "estimate", "approximation", and "best possible compression". > Of course gzip is not a very good approximation even if one subtracts the >

Re: One-line password generator

Hi, Mario Castelán Castro wrote: > My point is that there is no way to make a > reasonable approximation to the Kolmogorov complexity of a password. That's my point, too. Although i use the terms "information" and "entropy". > To recap: Real-life file compressors can not be used to estimate

Re: One-line password generator

On Fri 25 Aug 2017 at 11:55:01 -0500, Mario Castelán Castro wrote: > On 25/08/17 11:51, Brian wrote: > > However, users use passwords to log into accounts *online* and those > > passwords are devised to withstand an *online* attack (of 100 tests per > > second maximimum(?)). This is the only

Re: One-line password generator

On Fri 25 Aug 2017 at 08:40:35 +, Curt wrote: > On 2017-08-25, David Wright wrote: > > > > Unless you have accounts¹ that invite break-in attempts², the main > > thing to resist offline cracking is to have better passwords than > > your neighbours, just like

Re: One-line password generator

On 25/08/17 04:21, Thomas Schmitt wrote: > One can estimate entropy by an approximation of the best possible > compression in the context of the knowledge of the reader. > The compression result will generally be longer if the compressor has > fewer knowledge about the message. In principle, yes,

Re: One-line password generator

Hi, i wrote: > > One can estimate entropy by an approximation of the best possible > > compression in the context of the knowledge of the reader. Mario Castelán Castro wrote: > In principle, yes, but in practice, not at all. File compressors [...] I wrote "estimate", "approximation", and "best

Re: One-line password generator

Hi, Curt wrote: > https://xkcd.com/936/ Well, this is a joke for mathematicians. ROFL et.al. > https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ ... and this lines out why the other is so funny. So what is the reason why

Re: One-line password generator

On 2017-08-25, David Wright wrote: > > Unless you have accounts¹ that invite break-in attempts², the main > thing to resist offline cracking is to have better passwords than > your neighbours, just like security against burglary. Once a suitable > proportion of passwords

Re: One-line password generator

On Thu 24 Aug 2017 at 18:42:47 (+0100), Brian wrote: > On Wed 23 Aug 2017 at 18:06:49 -0500, Mario Castelán Castro wrote: > > On 23/08/17 14:11, Brian wrote: > > > "Probably" is probably good enough. The probability of either of the two > > > previous passwords being deduced from pure guessing is

Re: One-line password generator

On Wed 23 Aug 2017 at 18:06:49 -0500, Mario Castelán Castro wrote: > On 23/08/17 14:11, Brian wrote: > >> As for the scenario where the password is compromised and that leads to > >> somebody posting slander in one behalf, that can happen without any need > >> for password cracking. Anybody can

Re: One-line password generator

On 23/08/17 14:11, Brian wrote: >> As for the scenario where the password is compromised and that leads to >> somebody posting slander in one behalf, that can happen without any need >> for password cracking. Anybody can create a profile in a social network >> pretending to be you with the

Re: One-line password generator

On 08/24/2017 02:11 AM, Brian wrote: > You should never reveal how your passwords are generated. In detail, > that is; in principle there might be no harm done. But how do you know how much you can reveal about it until there is real harm done? You can't really know for sure how much entropy your

Re: One-line password generator

You certainly didn't upset my appetite! As a Linux user since the mid-Ninties I can only say how on a daily basis I am increasingly impressed by, and grateful for, the very supportive Linux (in particular the Debian - since that is my favourite distribution) community. In particular I understand

Re: One-line password generator

One thing is for sure, with the good ol'boyz club of developers and ex-developers there is no room on this list for /users Which proves my theory that it is insiders of the linux community that make it so hostile for the rest of the world, due to their insecurity their good ol'boy club will

Re: One-line password generator

On Tue, Aug 22, 2017 at 8:20 PM, Mario Castelán Castro wrote: I ask the user for a fairly long line in a song, or maybe a poem, that they know or can learn. Something like the third line of a 19th century translation of Homer's Odyssey. I use the first letter, randomly

Re: One-line password generator

On 23/08/17 11:57, Brian wrote: >> If you do not care about security, you could generate a single 4 >> character bit block with my method and save typing. > > One online password checker (not that I understand how it works or even > trust it) gives > >

Re: One-line password generator

On Wed, Aug 23, 2017 at 03:23:50PM -0400, Greg Wooledge wrote: > On Wed, Aug 23, 2017 at 01:16:56PM -0600, Aaron Toponce wrote: > > Three POSIX-compliant shell functions that rely on no extra utilities > > shuff () { > > if [ $(command -v shuf) ] > > Needs quotes. Good catch. > >

Re: One-line password generator

On Wed, Aug 23, 2017 at 01:16:56PM -0600, Aaron Toponce wrote: > Three POSIX-compliant shell functions that rely on no extra utilities > shuff () { > if [ $(command -v shuf) ] Needs quotes. > shuffle -f /dev/stdin -p "$1" /dev/stdin is not POSIX-compliant. >

Re: One-line password generator

On Tue, Aug 22, 2017 at 10:04:59AM -0500, Mario Castelán Castro wrote: > I have the following line in my Bash init file: > > “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"” > > This generates a password with just above 128 bits of entropy. You may > find it useful.

Re: One-line password generator

On Wed 23 Aug 2017 at 12:58:19 -0500, Mario Castelán Castro wrote: > On 23/08/17 11:57, Brian wrote: > >> If you do not care about security, you could generate a single 4 > >> character bit block with my method and save typing. > > > > One online password checker (not that I understand how it

  1   2   >