Password Strength

[l3dx]

This comes to mind

http://xkcd.com/936/

[Elfy]

https://help.ubuntu.com/community/StrongPasswords

That is a community wiki - anyone can put anything they want in there - it's just peer reviewed.

[stevesy]

My personal slant on it is that most people pick passwords like p@55Wrd which in my mind aren't that much better than a plain text password.

You need to be able to remember the password and type it fairly easily, but randomness and non-word-ness (I invented that, don't look it up) make more sense to me.

I generated a dsa key and called it passwordsource, and when I need a new password I copy some text out of that. Sometimes I add a character so more groups are represented.

I don't agree with 3 characters of each type. That's adding predictability to the password. More groups is good.

One thing I do is remember a long password, mentally break it into groups that I can remember, and then combine different groups to make different passwords. Those passwords are STILL at least 12 characters and totally random DSA key segments, but I find I can remember more passwords this way.

Interesting. Is generating a dsa key difficult to do?

[stevesy]

That is a community wiki - anyone can put anything they want in there - it's just peer reviewed.

Would you say it's accurate?

[stevesy]

Ah... well, we still don't know, because they don't site any sources or support. If they're going to say something "is defined" they really ought to tell us who's doing the defining and why. An anonyous post in Ubuntu's help site won't cut it.

I'm certainly not arguing that a 15-character password is no better than, say, an 8-character password. But, if there's evidence that using 15 characters is a threshold that introduces a new level of protection, I'm curious.

Otherwise, I'll assume it's just another of those "they say" things that float endlessly around the net.

Make your passwords as long and as messy and as irrational as you can cope with. I generate mine by having a lengthy nonsense character string based on a mnemonic that is based, in turn, on a phrase describing events known only to me (and it includes deliberate errors in case someone gets lucky guessing). I wrap that within two strings taken from a single long string that I generate, in my head, using an algorithm I've memorized that is applied to a unique feature of each site requiring a password. That gives me a rather long unique password for each site. I only need to remember the core sequence because I generate the rest of each password on the fly each time I need it. I doubt if they are quite as foolproof as a 100-character random string generated by a password manager. Since I really don't like using a password manager, it will hafta do.

Long, messy and irrational. Got it! : ]

[stevesy]

I forget all my passwords regularly, no matter how easy to remember they are.

You don't write them down somewhere?

[Netstatus]

You don't write them down somewhere?

I wouldn't suggest doing so at any point.
I don't think it's normally that much of an issue to do so but since we're looking for the optimal system here, I'd not recommend it.

[ssam]

I recommend this article, which explains in practice how password cracking works.
http://arstechnica.com/security/2013...sword-cracker/

[stevesy]

I wouldn't suggest doing so at any point.
I don't think it's normally that much of an issue to do so but since we're looking for the optimal system here, I'd not recommend it.

Should I set fire to my password list immediately then?

[Netstatus]

Should I set fire to my password list immediately then?

Most definitely