1 |
On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote: |
2 |
> On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote: |
3 |
> > > How do you, especially those who admin systems that are always being |
4 |
> > > hacked at, generate strong passwords that meet the above? I've |
5 |
> > > googled and found some ideas but if I use the same method, well, how |
6 |
> > > many others are using that same method, if you know what I |
7 |
> > > mean. ;-) Just looking for ideas. |
8 |
> > |
9 |
> > You could use a password generator to keep creating random passwords |
10 |
> > until it comes up with something you like the look of, then learn it by |
11 |
> > rote. I did that some time ago - it must be about time I did it again |
12 |
> > to make another one. |
13 |
> |
14 |
> https://xkcd.com/936/ |
15 |
|
16 |
Not strictly true ... the crackers would probably use rainbow tables attacks |
17 |
first. Also, it isn't fair to compare an 11 character passwd against a 25 |
18 |
character passwd. For the *same* number of characters used in any given |
19 |
passwd, a random lower/upper/numerical/symbol passwd will provide an |
20 |
exponentially higher degree of difficulty in cracking it with brute force, |
21 |
than one which uses only lower case dictionary words. Anyway, these days many |
22 |
attacks are focused on OS or hardware vulnerabilities which have been baked in |
23 |
by design, rather than brute force attacks. |
24 |
|
25 |
Any financial company worth their salt are employing 2-factor authentication |
26 |
and account lockups to stop brute forcing of users credentials. So, guarding |
27 |
against your own OS compromise is more important than individual website |
28 |
credentials. |
29 |
|
30 |
You will be surprised how many people are still using passwds like: |
31 |
|
32 |
password |
33 |
password1 |
34 |
arsenal |
35 |
manchesterunited2018 |
36 |
fido |
37 |
|
38 |
on websites which store their credit card details. O_O |
39 |
|
40 |
You may want to take a look at app-admin/apg and to mitigate against your |
41 |
CPU's lack of randomness use sys-apps/haveged. Combining multiple outputs of |
42 |
apg should arrive at a passwd which is more secure than not. |
43 |
|
44 |
-- |
45 |
Regards, |
46 |
Mick |