|
 |
>> Personally, I think the most /realistic/ way to gauge password strength
>> is to see how long it takes real, commonly-available password crackers
>> to break your password. After all, /that/ is what most unsophisticated
>> attackers are going to use against you.
>>
>
> This is the truth.
>
> A better philosophy in creating a password IMO is to come up with a
> sentence that includes capitalization and punctuation. This makes it
> harder for a computer to brute force it, I think.
As people on the forums have pointed out, a worrying number of things
have a /maximum/ password length. (!) Quite apart from taking a long
time to type a whole sentence, many systems won't allow you to use one
as a password.
(That said, PGP and GPG [yes, those are real product names] don't even
ask for a "password"; they want a "passphrase".)
The method I generally use is to take a complete sentence, but only type
the first letter of each word, plus any punctuation that might be
present. This has the unfortunately result that all my passwords tend to
start with an uppercase letter and end in a full spot. On the other
hand, how many password crackers are going to try "TSHwmygI." as a password?
Well, that rhetorical question is one I'd like to answer. But not on my
employer's VMs, apparently...
Post a reply to this message
|
|
