On 30 October 2011 15:38, Neil Harris neil@tonal.clara.co.uk wrote:
However, this is way, way, way lower risk than the current risk of brute-forcing low-hanging-fruit user passwords: for every user with a password generated by base64-encoding the output of /dev/random, there will be _thousands_ with passwords like "secret99" and "trustno1".
A password from /dev/random is extremely insecure. It is highly susceptible to the "find where they wrote it down because it's far too difficult to remember" attack.
Obligatory xkcd link: http://xkcd.com/936/