On 11/04/2008 17:22, Scott Meyers wrote:
Harold Fuchs wrote:
1. How on earth do you keep track of all those humongous pass phrases?
I use a program called Roboform (http://www.roboform.com/). I choose
the phrases for each site (or have it choose one for me), it does the
remembering.
So if anyone hacks your PC [or USB key] with Roboform [portable] on it
they have *all* your passwords. Hmmmmm. Or if the database crashes you
have *none* of your passwords. Hmmmmm.
2. Why do you consider it necessary to use >32 [non-alphanumeric]
characters
to protect something as trivial as access to a public web forum? Bank
accounts, yes; public web forums, ?????
Mostly it's a matter of trying to follow good habits. If a site feels
that a password is important enough to require, I feel that it's my
job to choose one that's not too easy to guess.
"Not too easy to guess" ... Who is going to try to guess your password
to a public web forum? Why would anyone bother? And if somebody did, so
what? Why not just publish your password and then nobody can claim they
have evidence you said something rude because you can retort that
anybody could have said it in your stead.
So I have a simple rule: always include at least one space. That way
I know that no dictionary-based attack can succeed.
Sorry to be blunt but that's complete balderdash. Any half way decent
dictionary attack will know phrases as well as just words. It will also
know words with spaces (and/or other characters) interpolated within
them - even Windows allows spaces in its passwords ("This is a fairly
long password" is legal, for example). Crackers using dictionary
attacks, like Crack or L0pht (aka LC5) are fully aware of this. Most
crackers, even basic ones, are not *only* simple dictionary attacks.
Most also include algorithms for making common substitutions (zero for
letter O, digit 1 for letter ell etc.), for combining upper and lower
case in all combinations for each "guess" and for interpolating "odd"
characters.
--
Harold Fuchs
London, England
Please reply *only* to [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
