On 08/24/2017 02:11 AM, Brian wrote: > You should never reveal how your passwords are generated. In detail, > that is; in principle there might be no harm done.
But how do you know how much you can reveal about it until there is real harm done? You can't really know for sure how much entropy your password has, unlike a randomly generated password, where it is significantly easier to estimate. Revealing as much as "my passwords are 30 random alphanumeric characters" will be fine in that case, but there is no such measure with passwords like the ones you have described. >> Eg. knowing that you create your passwords like that can make it >> significantly easier for someone else to guess your password, which >> could potentially be dangerous, especially if done by someone who knows >> you well. > > Agreed. Account passwords being guessed can surely only happen when the > account owner is known to the perpetrator. Sure, but the problem is that the account owner may not even be aware that this is happening. For example, with human-generated passwords, telling a joke, talking about your mother's maiden name, or talking about your favorite band may be leaking information about your passwords, and it is really hard to understand how much(or how little) damage it has done. With passwords, you should be sure, not guess, that you are safe. > How does one know > > MyDogHasNoNose.HowDoesItSmell?Terrible! > > (old jokes are vey memorable) is a safe password? You don't, and that's the problem, I believe.
