| 1 |
On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote: |
| 2 |
> On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote: |
| 3 |
> > > How do you, especially those who admin systems that are always being |
| 4 |
> > > hacked at, generate strong passwords that meet the above? I've |
| 5 |
> > > googled and found some ideas but if I use the same method, well, how |
| 6 |
> > > many others are using that same method, if you know what I |
| 7 |
> > > mean. ;-) Just looking for ideas. |
| 8 |
> > |
| 9 |
> > You could use a password generator to keep creating random passwords |
| 10 |
> > until it comes up with something you like the look of, then learn it by |
| 11 |
> > rote. I did that some time ago - it must be about time I did it again |
| 12 |
> > to make another one. |
| 13 |
> |
| 14 |
> https://xkcd.com/936/ |
| 15 |
|
| 16 |
Not strictly true ... the crackers would probably use rainbow tables attacks |
| 17 |
first. Also, it isn't fair to compare an 11 character passwd against a 25 |
| 18 |
character passwd. For the *same* number of characters used in any given |
| 19 |
passwd, a random lower/upper/numerical/symbol passwd will provide an |
| 20 |
exponentially higher degree of difficulty in cracking it with brute force, |
| 21 |
than one which uses only lower case dictionary words. Anyway, these days many |
| 22 |
attacks are focused on OS or hardware vulnerabilities which have been baked in |
| 23 |
by design, rather than brute force attacks. |
| 24 |
|
| 25 |
Any financial company worth their salt are employing 2-factor authentication |
| 26 |
and account lockups to stop brute forcing of users credentials. So, guarding |
| 27 |
against your own OS compromise is more important than individual website |
| 28 |
credentials. |
| 29 |
|
| 30 |
You will be surprised how many people are still using passwds like: |
| 31 |
|
| 32 |
password |
| 33 |
password1 |
| 34 |
arsenal |
| 35 |
manchesterunited2018 |
| 36 |
fido |
| 37 |
|
| 38 |
on websites which store their credit card details. O_O |
| 39 |
|
| 40 |
You may want to take a look at app-admin/apg and to mitigate against your |
| 41 |
CPU's lack of randomness use sys-apps/haveged. Combining multiple outputs of |
| 42 |
apg should arrive at a passwd which is more secure than not. |
| 43 |
|
| 44 |
-- |
| 45 |
Regards, |
| 46 |
Mick |
Archives