On Wed 23 Aug 2017 at 09:11:15 +0900, Lck Ras wrote: > On 08/23/2017 07:31 AM, Brian wrote: > > On Tue 22 Aug 2017 at 15:14:37 -0500, Mario Castelán Castro wrote: > > You can recommend what you want but give me > > > > IhaveaMemorablePasswordwhichIwillnotforget! > > > > as opposed to > > > > WVAq7XLM4va6e1A4Bb4+Zw > > > > You will now explain why the first one will be broken in the next > > 100 years. I'm past caring after that. > > The problem with that kind of password generation is that it leaks in > unexpected ways, and it can be hard to understand how much it matters. > > When you know nothing about a password, it can be quite hard to guess, > but as you reveal more information about it and its construction (max > length, character set, format, etc.) it becomes easier and easier. > > With randomly generated passwords, you still have an easy-to-understand > "hard limit" on how easy it will be to guess, unless you start leaking > individual characters of it, even if you reveal how the password is > constructed. > > In the other hand, with passwords like the ones you described, it can be > quite difficult to gauge how hard it is to guess, and how much you can > reveal about it before it being unsafe.
You should never reveal how your passwords are generated. In detail, that is; in principle there might be no harm done. > Eg. knowing that you create your passwords like that can make it > significantly easier for someone else to guess your password, which > could potentially be dangerous, especially if done by someone who knows > you well. Agreed. Account passwords being guessed can surely only happen when the account owner is known to the perpetrator. > I personally use diceware, which is relatively memorable and secure > enough. Revealing the fact that I use diceware makes guessing my > passwords significantly easier, but it still is very far in the > "impossible" territory. > > I don't think leaving your passwords up to chance is a good idea. You > should know, not guess, whether it is safe or not. How does one know MyDogHasNoNose.HowDoesItSmell?Terrible! (old jokes are vey memorable) is a safe password? -- Brian.
