Digital Crumble

Crumbly on the outside, sweet and squishy inside. An attempt to bake sense into my online wanderings.

Apr 22
“Pick three words truly at random from large lists (or four from not so large lists), and then do your other stuff (symbol substitution, some capitalization). But the cleverer you try to be with meanings (even if only meaningful to you) the less random (lower entropy) will be your result.” Question on Master Password Strength - AgileBits

“Because we don’t know exactly how non-random human minds are when asked to pick passwords at random, we can’t calculate the strength of the passwords that they generate. We know that when people add “randopm” capitalization, they tend to do so at the beginning of syllables (as you did in your example). We know that when people add it symbols, they do so in very systematic ways. (Using ‘$’ or ‘s’ for example). Those transformations do help against current crackers, but you need to pick your words are random.” Question on Master Password Strength - AgileBits

“As Khad correctly points out picking words by some “twisted logic” is not a random as people often think it is. Also the fact that you used Greek is hardly unpredictable given your name.” Question on Master Password Strength - AgileBits

“If you’re just picking these out of your head, it’s extremely difficult to judge how secure they are. Humans are far more predictable than we like to admit. You truly do need some random system.” Question on Master Password Strength - AgileBits

“For the one password you do need to remember, we recommend Diceware. The idea is not to hide the system from an attacker but to have a system that — even if known to the attacker — is still strong.” Question on Master Password Strength - AgileBits

“The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.” Question on Master Password Strength - AgileBits

“(Of course, when I need a passphrase to be *particularly* secure, I make at least one of the words up out of whole cloth. And all of this does not negate the need for rate limiting, which is so fundamental I cannot imagine why the authors are bothering to mention password systems that don’t have it. Frankly, secure systems use mandatory delays that grow geometrically with the number of failed attempts — although it’s a good idea to exempt repeated failures using the same wrong password from said increase.)” Schneier on Security: The Security of Multi-Word Passphrases

“Of course, if you just pick words you like from the list the security goes out the window. The whole point of a random passphrase is to get true random word choices.” Schneier on Security: The Security of Multi-Word Passphrases

“Choosing a passphrase manually is just as bad as choosing a password manually. Choosing a passphrase randomly is better that choosing a random password.” Schneier on Security: The Security of Multi-Word Passphrases

“I recommend www.diceware.com for passwords you care about. People in these comments have been debating the virtues of 10 vs 20 bit entropy passphrases, when diceware is highly effective at generating memorable passphrases with 70 or 80 bits of provable entropy.” Schneier on Security: The Security of Multi-Word Passphrases

“Essentially by using a complex enough password, the victim is buying themselves more time in the common case to avoid catastrophic identity theft, which I believe is extremely valuable.” Schneier on Security: The Security of Multi-Word Passphrases

“There are some hints at a basic problem related to “paswword generation”. First of all, most of us seem to be generating passwords with some algorithm (pick first letters of a sentence, pick four words, use the xxx out of the www.xxx.com, prefix with pw and postfix with 99, etc). Any advice for good passwords suggests an algorithm (sort of). If I have an idea of your algorithm it better by a secure PRNG. Often it takes one password on one site to get an idea of your algorithm.” Schneier on Security: The Security of Multi-Word Passphrases

“Rather than yelling at your users to come up with better passwords, you run a password cracker on your users’ passwords (assuming you are in a scenario where you consider this ethical). Whenever it breaks one, it sends them a password change notice along with a note saying their password was nowhere near good enough. Until they’ve learned that lesson the hard way, you’re going to keep hearing things like, “nobody could guess that I took the initial letters of a line from ‘Romeo and Juliet’! Think how many plays there are!” or, “but I included a symbol, which should expand the space of possible characters into the bazillions!”” Schneier on Security: The Security of Multi-Word Passphrases

“But it means that any conversation about password/passphrase security inevitably devolves into a tremendous number of uninformed statements about what types of passwords and passphrases are or are not secure, plus anecdotes about how individual commenters construct their secure passwords. Misapplication of information theory can get pretty ubiquitous, and people seem to have some pretty ridiculous and misguided ideas about how an attacker goes about attacking a password or passphrase. There are a ton of misconceptions in the first few comments here already, and unpacking them all would be more work than I’m up for.” Schneier on Security: The Security of Multi-Word Passphrases

“D’autant que le Code rural dispose dans son article L.214-1 “Tout animal étant un être sensible doit être placé par son propriétaire dans des conditions compatibles avec les impératifs biologiques de son espèce”. Oui chers lecteurs, vous ne rêvez pas, le législateur a voté une loi qui existe déjà. Je vous confirme ce que votre intuition vous souffle : voter deux fois une loi n’en fait pas une super-loi ou une über-loi. Ça en fait juste un pléonasme.” Le législateur est-il un être doué de raison ? - Journal d’un avocat

Page 1 of 1053

Stephanie Booth. Stephanie Booth is a freelance internet geek who lives in Lausanne, Switzerland. Digital Crumble is where she dumps all sorts of interesting stuff she finds online.

Following:
merlin hexapod instagram teachingliteracy sexologist we-are-star-stuff fuckyouverymuch staff chriswoebken billso briansolis ferrydust gabydunn beatgozon ermedicine psychotherapy kickstarter johntropea itscolossal designerdaily quandmonchat lessig digitalyn clientsfromhell dianarainbowcheese whatleydude somewherehq fred-wilson cranquis martinroell crackrockmountain simplyann deshommesetdeschatons adactio chartier sdufaux itgetsbetterproject mccasal david austinkleon tripet rafer shitmystudentswrite mentakingup2muchspaceonthetrain talltattooedtexasgirl joanne-vs superamit mimolechat batixa ville-nouvelle chersvoisins naturalog tariqkrim core henrietteweber politis oneman stoweboyd danicar exiledesigns clopin petronillapaperdoll shashib jephjacques histoire assistanteveto gary mashablehq sahilk 8bitrevolver artdelacuriosite messagewithabottle homelessfornow vanderwal manchettes hyperlaxe nickreese lyonelkaufmann thekoiandthedragon novicephoenix neil-gaiman glenda salut-l-artiste theanimalblog tedr brianoberkirch gcn cafe-soda capucha pcrevoisier noneck jayparkinsonmd blakewhitman ajustetitre rogueleaderr twitterstatus thelausanneguide evrenk hithertodotnet dannie carnetdenote joiito clairecmc bibiweb ilovereadingandwriting factoryjoe vhunziker markgould13 gina gjb violetblue icelandwantstobeyourfriend thefoush kari-shma nghtlght chezlegygy meinekatze benwatt emptyage tablelinen bonjourlechat villagerswithpitchforks textfromdog bradleypjohnson jessicabigarel ulule houseofswitzerlandambassadors dyditastic reluctantbuddha thegoldenageisover apartness underpaidgenius pivwan haldenbeaumont sportballsreplacedwithcats matthewdipaolamd felicienleonard loobylu amandalindsayrose slashclip rocketboom amitguptaneedsyou annajobin premiertexto euansemple imajes seancregan thekittencovers gjacksonsdiary cargonomies clivethompson cgiorgi iindia deerard jayrosen arkham cmic 100daystyleradamsmith mycatisanerd vivdora francoismonney factandaphoto theeconomist whenyouliveinlausanne undercaffeinated jayparkinsonmain eclatsdesilex shitthatsirisays xcambar catroulette wildfood howardsbutt stephanieklebetsanis benoitmeunier everyoneisother actualfacebookgraphsearches oshiro leuthi theamazingios6maps futureerdoc archeomedias tommorrisdotorg ratp-hall-of-fake apipt cielmonchaton huslage windingstring jrochester 43folders the-write-idea joidiving soufron 3threenov raph jingc catatar e-miliep lstantzos 5by5studios relaxintheair thingstowatchin2011 mariutsch evernote helsisters bibliothecaire sshrpe noblasters miezekatzen materialco yourcontext technofeliz morgienne coldwaterswimming organicatoday masala-chai lelocal windowsotworld lisamac muslimswearingthings lpalli incisive tummler inboxzero yannik stephaniedk theawkwardboyfriend 6changes enquotations sravana workatjelly woodspock autisme notafish jononline inauguration suw galipeau