On 30 October 2011 15:46, Thomas Dalton thomas.dalton@gmail.com wrote:
On 30 October 2011 15:38, Neil Harris neil@tonal.clara.co.uk wrote:
However, this is way, way, way lower risk than the current risk of brute-forcing low-hanging-fruit user passwords...
A password from /dev/random is extremely insecure.
I don't believe these two statements are in any way mutually exclusive. There are degrees of "extremely insecure" in which "password1" ranks significantly higher than "the password I keep on the post-it in my desk drawer". One is very weak in the face of anyone connected to the internet, one is very weak in the face of anyone who has access to your office. Significantly more people have access to the internet than have access to your office/home/phone/filesystem. Neither threat is negligible, both are worth taking sensible measures to counter. But the point where the conversation loses all sense of perspective is when it loses all level of utility.
--HM