The wrench never fails. :) For 99% of my passwords I use LastPass and the PW generator. It irks me no end to come across a site that doesn't accept complex passwords, or ones with stupid limitations of 12 or less characters. I had (past tense is key) a bank site that limited to 16 and didn't allow special characters. Discover actually requires a complex *username*...but I digress.
At the end of the day if someone knows enough to bother encrypting their system in the first place they know to use a decent passphrase...and they also know about the wrench. As another tangent, the wrench is why I like TrueCrypt's "Duress password" ability. But that also doesn't work on whole disk. :( Which is why I typically don't do whole disk for my personal stuff. Darn wrench. - William On Mon, Jul 1, 2013 at 6:35 AM, Edward Harvey < [email protected]> wrote: > Yeah, I like that one. :-)**** > > ** ** > > Also this:**** > > http://xkcd.com/538/**** > > ** ** > > Incidentally, this is mine, and it's what I use:**** > > https://clevertrove.com/randcharsweb/**** > > ** ** > > ** ** > > ** ** > > ** ** > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of > *William > J. Robbins > *Sent:* Sunday, June 30, 2013 11:07 PM > > *To:* Edward Ned Harvey (lopser) > *Subject:* Re: [lopsa-tech] Bitlocker vs Truecrypt**** > > ** ** > > Reminds me almost exactly of this: http://xkcd.com/936/**** > > :D**** > > > **** > > > - William**** > > ** ** > > On Sun, Jun 30, 2013 at 8:29 PM, Edward Ned Harvey (lopser) < > [email protected]> wrote:**** > > > From: [email protected] [mailto:[email protected] > ] > > On Behalf Of William J. Robbins > >**** > > > (And that's based on > > this: https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_meas > > ure_of_password_strength > > using the Alphnumeric character value of 5.954, Would be some higher > using > > special characters as one should) > > If I'm encrypting a drive I'd think a decent passphrase would > meet/exceed 42 > > characters. Something like: Dammit Jim, I'm a doctor not a bricklayer!* > *** > > To attack your password in a situation such as you described above, an > attacker only needs to learn (or guess) that you used some sort of phrase > instead of random characters, and they won't need to attack random > characters anymore. They'll attack patterns of words, which is a *far* > smaller space to attack, considering you have only 8 words in there. 8 > random words from the space including unusual words and proper nouns and > stuff, gets you around 104 bits. Throw in some common substitutions such > as "d0ctor" and you gain a little bit, but they're predictable, unless > they're random. In fact, *all* the characters are predictable unless > they're random. > > I emphasize, number of characters is only a measure of entropy, if they're > randomly selected by a machine, and then you memorize them without any > modification. The measure of entropy in your password is measured by the > number of guesses an attacker would have to work through in order to guess > your pass. As soon as you start making modifications such as "Gpu7mvrDZ is > too hard to type, I'm going to make it GPU7mvrDZ" the attack space becomes > smaller, based on predictions of human behavior.**** > > > > > But to get 256 bits of entropy is only around 42 characters isn't it?*** > * > > To answer this kind of stuff, I like wolframalpha. > Alphanumeric, mixed case, means 26*26*10 possibilities for each character. > log2((26*26*10)^21) > If you randomly choose 21 characters = 267 bits. (20 chars is only 254 > bits). Here's an example of what the 21 char password would look like: > omEzmGpu7mvrDZbYYPM4Da > Yes, you can memorize something like that, with some effort. But you > certainly cannot expect it to be common practice. > > They have to be *random* characters. No acronyms, nothing that reflects > the frequency of letters occurring in English, etc. If you're not > selecting them randomly, you're reducing the space you select your password > from. > > Also, in this: https://code.google.com/p/randchars/ There is a 2264 list > of words. log2(2264^23) = 256 bits. So 23 random words would give you 256 > bits entropy... > > suggest-pot-live-complaint-flood-mouth-bless-and-sauce-anger-mineral-discussion-point-gallon-notebook-wreck-mercy-drop-cousin-absence-other-ocean-sacred > > You could use a randomly generated 256 bit password like that. It might > be easier to memorize than the random characters.**** > > > > > And if you are doing a home PC not on a domain, the only > > storage of the recovery key is where you put it on completion. I've seen > > folks screen shot it, print it off, etc.**** > > Good point. Recovery key that was initially generated randomly is only as > secure as the security around your backup copy of that key. The truecrypt > recovery media is equally strong as the truecrypt volume itself - which is > as strong as your password. With bitlocker, you have several options, so > it's difficult to analyze the security of your backup keys. If stored in > Active Directory ... Well, AD is itself very secure if well configured. > But lots of people don't configure it well. And if you take a screen > shot, or copy text, then it all depends on where you choose to save it...* > *** > > ** ** >
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
