Hey just wondering if any of you can shed some light on how the figure of 15+ characters (including at least 3 of each character type) was arrived at for being a "strong password"? Just curious with the recent goings on..

You might find reading the WIKIPEDIA for Passwords (https://en.wikipedia.org/wiki/Strong_password) helpful.

My personal slant on it is that most people pick passwords like p@55Wrd which in my mind aren't that much better than a plain text password.

You need to be able to remember the password and type it fairly easily, but randomness and non-word-ness (I invented that, don't look it up) make more sense to me.

I generated a dsa key and called it passwordsource, and when I need a new password I copy some text out of that. Sometimes I add a character so more groups are represented.

I don't agree with 3 characters of each type. That's adding predictability to the password. More groups is good.

One thing I do is remember a long password, mentally break it into groups that I can remember, and then combine different groups to make different passwords. Those passwords are STILL at least 12 characters and totally random DSA key segments, but I find I can remember more passwords this way.

I was hoping for a more, human touch. But yeah slw210 that's perfect, thanks : ]

I find using a adjective+noun+randomnumbers password to be best.
You can play around with capitalisation and short forms and such while still keeping it memorable as it has something human to it.
I think you can make any password - however complicated- memorable, as long as you create a meaning around it yourself.

I'm not aware of anyone designating 15 characters as a password threshold. Longer passwords are generally held to take longer to crack than shorter passwords.

https://help.ubuntu.com/community/StrongPasswords

https://help.ubuntu.com/community/StrongPasswords

Ah... well, we still don't know, because they don't site any sources or support. If they're going to say something "is defined" they really ought to tell us who's doing the defining and why. An anonyous post in Ubuntu's help site won't cut it.

I'm certainly not arguing that a 15-character password is no better than, say, an 8-character password. But, if there's evidence that using 15 characters is a threshold that introduces a new level of protection, I'm curious.

Otherwise, I'll assume it's just another of those "they say" things that float endlessly around the net.

Make your passwords as long and as messy and as irrational as you can cope with. I generate mine by having a lengthy nonsense character string based on a mnemonic that is based, in turn, on a phrase describing events known only to me (and it includes deliberate errors in case someone gets lucky guessing). I wrap that within two strings taken from a single long string that I generate, in my head, using an algorithm I've memorized that is applied to a unique feature of each site requiring a password. That gives me a rather long unique password for each site. I only need to remember the core sequence because I generate the rest of each password on the fly each time I need it. I doubt if they are quite as foolproof as a 100-character random string generated by a password manager. Since I really don't like using a password manager, it will hafta do.

I forget all my passwords regularly, no matter how easy to remember they are.

Ah... well, we still don't know, because they don't site any sources or support. If they're going to say something "is defined" they really ought to tell us who's doing the defining and why. An anonyous post in Ubuntu's help site won't cut it.
For what it's worth, 15 characters matches the NIST guideline from the Wikipedia page for case-sensitive alphabetical passwords. (Not case-sensitive alphanumeric, which is 14, but still.)

This comes to mind :)

http://xkcd.com/936/

https://help.ubuntu.com/community/StrongPasswords

That is a community wiki - anyone can put anything they want in there - it's just peer reviewed.

My personal slant on it is that most people pick passwords like p@55Wrd which in my mind aren't that much better than a plain text password.

You need to be able to remember the password and type it fairly easily, but randomness and non-word-ness (I invented that, don't look it up) make more sense to me.

I generated a dsa key and called it passwordsource, and when I need a new password I copy some text out of that. Sometimes I add a character so more groups are represented.

I don't agree with 3 characters of each type. That's adding predictability to the password. More groups is good.

One thing I do is remember a long password, mentally break it into groups that I can remember, and then combine different groups to make different passwords. Those passwords are STILL at least 12 characters and totally random DSA key segments, but I find I can remember more passwords this way.

Interesting. Is generating a dsa key difficult to do?

That is a community wiki - anyone can put anything they want in there - it's just peer reviewed.

Would you say it's accurate?

Ah... well, we still don't know, because they don't site any sources or support. If they're going to say something "is defined" they really ought to tell us who's doing the defining and why. An anonyous post in Ubuntu's help site won't cut it.

I'm certainly not arguing that a 15-character password is no better than, say, an 8-character password. But, if there's evidence that using 15 characters is a threshold that introduces a new level of protection, I'm curious.

Otherwise, I'll assume it's just another of those "they say" things that float endlessly around the net.

Make your passwords as long and as messy and as irrational as you can cope with. I generate mine by having a lengthy nonsense character string based on a mnemonic that is based, in turn, on a phrase describing events known only to me (and it includes deliberate errors in case someone gets lucky guessing). I wrap that within two strings taken from a single long string that I generate, in my head, using an algorithm I've memorized that is applied to a unique feature of each site requiring a password. That gives me a rather long unique password for each site. I only need to remember the core sequence because I generate the rest of each password on the fly each time I need it. I doubt if they are quite as foolproof as a 100-character random string generated by a password manager. Since I really don't like using a password manager, it will hafta do.

Long, messy and irrational. Got it! : ]

I forget all my passwords regularly, no matter how easy to remember they are.

You don't write them down somewhere?

You don't write them down somewhere?

I wouldn't suggest doing so at any point.
I don't think it's normally that much of an issue to do so but since we're looking for the optimal system here, I'd not recommend it.

I recommend this article, which explains in practice how password cracking works.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

I wouldn't suggest doing so at any point.
I don't think it's normally that much of an issue to do so but since we're looking for the optimal system here, I'd not recommend it.

Should I set fire to my password list immediately then?

Should I set fire to my password list immediately then?

Most definitely ;)

I just ordered a ThinkPad which has a fingerprint authenticating gizmo. Cute, as far as it goes.

Passwords are ugly and need to go. If we didn't use passwords, we would not have to worry about bad passwords, password cracking, etc.

I think my password is pretty good-looking, to be honest ;)

If we switched to fingerprint authenticators, we would just change the wording as we would worry about bad fingerprint authenticators (meaning they can be circumvented/cracked)
and 'fingerprint authenticator cracking'.

I don't know how good these are but I run any new passwords I devise through both. Makes me feel better :).

http://password-checker.online-domain-tools.com/http://password-checker.online-domain-tools.com/

https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

I just started using Keepass. http://keepass.info//
There is a portable version, database is encrypted, rates password strength, creates random passwords etc.
I'm getting comfortable with it and an about ready to remove saved passwords from Opera and use Keepass exclusively.

Would you say it's accurate?

That wasn't my point - my point was if someone had said 4 the whole context of including that page would have been moot.

Interesting. Is generating a dsa key difficult to do?

ssh-keygen -t dsa

When it asks for the name of the key, type 'passwordsource' or whatever. It's a text file, you can open it (don't ever post it anywhere) and then search for something that's random but which you think you can remember.

ssh-keygen -t dsa

When it asks for the name of the key, type 'passwordsource' or whatever. It's a text file, you can open it (don't ever post it anywhere) and then search for something that's random but which you think you can remember.

Thanks very much 1clue, I tried it out:

http://img827.imageshack.us/img827/3316/9xkf.png

Now to find a tutorial.. ; ]

No tutorial really necessary. Open passwordsource in your favorite text editor, find something in there that looks undecipherable but memorable, and change your password to it. I would advise storing that password temporarily until you're sure you have it, but put it in an inconvenient place you can't see from your computer so you have to memorize it short-term in order to use it. Then throw it out after awhile.

No tutorial really necessary. Open passwordsource in your favorite text editor, find something in there that looks undecipherable but memorable, and change your password to it. I would advise storing that password temporarily until you're sure you have it, but put it in an inconvenient place you can't see from your computer so you have to memorize it short-term in order to use it. Then throw it out after awhile.

Ahhh ok thanks, I was looking at the hex fingerprints.. Should I do anything with the public key? : |

Well they're both essentially random text strings that fall into all the four character groups wanted by passwords. I look in one file one time, and another one the next.

The whole DSA key idea is this: A DSA key file is supposed to provide randomness within a character range, meaning that the file is text and it won't have certain characters in it. The characters it has are good password characters.

A DSA key is not keyboard smashing, it's as random as I can easily devise on any computer wherever I am. The key gives passwords that are not words, nor pseudo-words, nor birthdays nor lucky numbers, have nothing to do with me or anyone I know or any hobby. Meaning it's the least predictable thing I can come up with. Which is what passwords are supposed to be.

Well they're both essentially random text strings that fall into all the four character groups wanted by passwords. I look in one file one time, and another one the next.

The whole DSA key idea is this: A DSA key file is supposed to provide randomness within a character range, meaning that the file is text and it won't have certain characters in it. The characters it has are good password characters.

A DSA key is not keyboard smashing, it's as random as I can easily devise on any computer wherever I am. The key gives passwords that are not words, nor pseudo-words, nor birthdays nor lucky numbers, have nothing to do with me or anyone I know or any hobby. Meaning it's the least predictable thing I can come up with. Which is what passwords are supposed to be.

Thanks for the explanation 1clue, appreciate that : ]