On Thu, Jan 15, 2015 at 6:56 AM, Brian <a...@cityscape.co.uk> wrote: > [...] > We are still on off-line cracking? How does this sound?
Hmm. I guess I should respond to your questions about IP spoofing and using strategy rather than pure brute force after all. > Memorable passwords are good. Long, complex passwords are also good. One > needn't exclude the other. To a certain degree, they do. However, > I can remember "TwasBrilligAndTheSlithyToves" and associate it with an > account. > > Before signing up I do > > echo TwasBrilligAndTheSlithyToves | sha1sum | base64 | cut -c -30 > > The output is what I give to a site as a password. Now you're talking sense. Maybe I don't need to answer your questions about IP spoofing and using strategy instead of pure brute force after all. Although, when you don't have access to a command line that gives you sha1sum, you're back to having to work hard to remember what you gave that site for a password. Frankly, rot13 or rot42 would get pretty close. But I would prefer a tool of my own making that I can use to exclusive-or the site name with my chosen pass-phrase before I pass it to the predictable shuffle. But, as John Hasler points out, we're just sort of re-inventing (half of) ssh keys. > Furthermore, before any future logins I can run the command again to get > the same password. Isn't this on-line and off-line cracking taken care > of? Depends on whether the targetting attacker is aware that you use sha1sum on all your passwords. Or has a copy of the source code for my rot42xor tool. This is the part that SSH keys gets right, of course. The argument, SSH keys versus passwords is kind of missing the point, unless the argument itself helps people listening in think a bit more carefully about their security. -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43ioj_vklxzni4os_0hzjfghgl9m2hhcmpmm7h5hdmfv...@mail.gmail.com
