On 30 October 2011 15:38, Neil Harris <neil(a)tonal.clara.co.uk> wrote:
However, this is way, way, way lower risk than the
current risk of
brute-forcing low-hanging-fruit user passwords: for every user with a
password generated by base64-encoding the output of /dev/random, there
will be _thousands_ with passwords like "secret99" and "trustno1".
A password from /dev/random is extremely insecure. It is highly
susceptible to the "find where they wrote it down because it's far too
difficult to remember" attack.
Obligatory xkcd link:
http://xkcd.com/936/