On 30 October 2011 15:46, Thomas Dalton <thomas.dalton(a)gmail.com> wrote:
On 30 October 2011 15:38, Neil Harris
<neil(a)tonal.clara.co.uk> wrote:
However, this
is way, way, way lower risk than the current risk of
brute-forcing low-hanging-fruit user passwords...
A password from /dev/random is extremely insecure.
I don't believe these two statements are in any way mutually exclusive.
There are degrees of "extremely insecure" in which "password1" ranks
significantly higher than "the password I keep on the post-it in my desk
drawer". One is very weak in the face of anyone connected to the internet,
one is very weak in the face of anyone who has access to your office.
Significantly more people have access to the internet than have access to
your office/home/phone/filesystem. Neither threat is negligible, both are
worth taking sensible measures to counter. But the point where the
conversation loses all sense of perspective is when it loses all level of
utility.
--HM