<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body ><div>Keys, my friend, keys ;-)</div><div><br></div><div><br></div><div><div style="font-size:8px;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br><div>-------- Original message --------</div><div>From: Bill Baker <bill_chris@earthlink.net> </div><div>Date:05/23/2014 7:57 PM (GMT-05:00) </div><div>To: colug-432@colug.net </div><div>Subject: Re: [colug-432] password survey </div><div><br></div>Thanks for the articles. I glanced through the second link, the one you<br>said references XKCD, and the password examples they gave that their<br>crackers were able to decipher were terrible. If they weren't too<br>short, the words they used were related to each other, not random<br>dictionary words. And the article points out, correctly, that you<br>should not use the example in the XKCD comic because -- duh! -- the<br>crackers added that one to their list on the day the comic came out.<br><br>So what do we do? It's already known that short passwords are easy to<br>crack. Long passwords with complexity are hard to remember, and<br>apparently easier to crack now. Additionally, most companies have<br>policies in place where you have to change your password every 60 to 90<br>days, so people are more likely to choose a crackable password. I still<br>maintain that the password in the joke (if it was not already a<br>well-known joke) would be practically Fort Knox secure.<br><br>On 05/23/2014 07:31 PM, Rob Funk wrote:<br>> On Friday, May 23, 2014 07:11:27 PM Bill Baker wrote:<br>>> I don't know about that. According to howsecureismypassword.net, it<br>>> would take a desktop PC about a tresvigintillion years to crack that<br>>> password. Plus, Randall Munroe pointed out at http://xkcd.com/936/ that<br>>> a password consisting of four random dictionary words would take a long<br>>> time for a computer to guess. So nine would presumably take even longer.<br>> A few years ago (probably even when Judd's friend's joke was invented) I<br>> would've been right there with ya. But your information is out of date. Ars<br>> Technica has done a bunch of good articles about why and how, e.g.:<br>><br>> http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/<br>> http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/ (in-depth, and references that XKCD)<br>> http://arstechnica.com/security/2012/08/passwords-under-assault/<br>> http://arstechnica.com/security/2013/07/how-elite-security-ninjas-choose-and-safeguard-their-passwords/<br>><br><br>_______________________________________________<br>colug-432 mailing list<br>colug-432@colug.net<br>http://lists.colug.net/mailman/listinfo/colug-432<br></body>