There are opposing forces in what constitutes a good password. On the one hand you want a password which is hard for someone to guess at or stumble upon.
On the other hand you want a password which the user can remember WITHOUT writing it down or putting it into a file. Randomly generated passwords tend to be good at the first test, but bad at the second. Some random password generators come up with two random words and tie they together, these might be easier to remember but not as secure. Passphrases like GPG/PGP uses are pretty good as long as you are a fairly good typist. Of course many password rules checks disallow such long passwords and require at least one number etc. One of the better suggestions I've come across for developing a good password was to think of a easily remembered phrase and use the first letter of each word. Like mmtmybsa I can remember "my momma told me you better shop around", and no, I don't use mmtmybsa for any of my passwords. If you have to include digits you can use l33t1st tricks to introduce them, I might just change the above to m3mtmybs4 On Wed, 23 Feb 2005 19:31:00 -0500 (EST), Matt Pusateri <[EMAIL PROTECTED]> wrote: > On Wed, February 23, 2005 5:22 pm, Warren Myers said: > > Howdy: > > > > I have been interested in cryptography for a long time, and know, as > > I'm sure most of you do, that passwords tend to be the weak point of a > > system. > > > > I recently wrote a password generator (available on my website > > http://warrenmyers.com/pwd.php or in slightly different form > > http://warrenmyers.com/stuff/pwd.zip, linux binary compressed) and am > > wondering if any of you have come across other random password > > generators, and what your experience in general of securing your > > passwords and accounts has been. > > > > Thanks. > > > > Warren > > -- > > http://warrenmyers.com > > "Don't let the elephants see what the rabbits are doing." --Ben R Rich > > -- > > Sorry I hit send before I finished my thought. I don't claim to be a > cryptographer, but it seems to me that if one were to use a password > generator from somewhere. That it would lend more credence if you > could verify the experience of the author within well know > cryptographic circles. This is not to intimate that the password > generator you have written is no good, it may be excellent, I don't > know. I haven't looked at it and don't claim to be of sufficient > knowledge to evaluate it. But when it comes to passwords and > security. the level of scrutiny has to be elevated. Obviously other > software you run could just as easily if not more so lead to security > holes more than the password chosen. > > Matt > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
