[WikiEN-l] Please change your passwords.
Gregory Maxwell
gmaxwell at gmail.com
Mon May 7 20:13:40 UTC 2007
On 5/7/07, Snowolf <mtazio at gmail.com> wrote:
> I've added a question to all en.wp's running RfA that asks candidates if
> their password is "[[..] alphanumeric? Formed by at least 8 characters? Not
> by words in the dictionary? Not in the weakest password list?".
Careful: most of these factors trade off against each other.
For example, an S/KEY pass phrase looks like "TWIG LET IFFY DATE RON
CARL". All dictionary words, easy to type and remember... Yet it
contains 64bits of entropy, which is far better than what you usually
get when you tell people "mixed character classes, at least 8
characters, not words in the dictionary".
Most people given those restrictions type out letter patterns on the
keyboard. Cracking programs like john the ripper have rules systems
which predict such patterns with frightening accuracy.
The correct advice should be to use a phrase instead of a 'word'. "i
like fluffy rice at 6am!" is a reasonably strong password. Throw in a
short random string and you have something that isn't practicably
crackable even by someone targeting only your account.... at that
point someone who wanted to control your acocunt would have an easier
time tricking you into running a password grabbing trojan.
More information about the WikiEN-l
mailing list