<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 10, 2015, at 13:38, Scott Merrill <<a href="mailto:skippy@skippy.net" class="">skippy@skippy.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">"Amazon," for instance, becomes "5FHX7E" for a password using this scheme, but you don't have to memorize it --<br class="">only the scheme itself.<br class=""></blockquote><br class="">I realize that's an example, but it's also a very weak password - short, all uppercase, and no symbols.<br class=""></blockquote><br class="">That’s true, but passwords do not exist in a vacuum. A password like the above might be easy to brute force from a hash downloaded from a database dump, but is less easy to brute force at the login screen at <a href="http://Amazon.com" class="">Amazon.com</a>.<br class=""><br class="">As with most things, one must perform some level of risk analysis. Do you want an arbitrarily complex password that is resistant to offline attack, as in the case of the Ashley Madison data dump? Or do you want a password that makes it sufficiently hard for someone to log in as you? If you’re mostly concerned about the latter, then I’d wager that the above password is “good enough”, and it looks relatively secure against guesses based on public data about you.<br class=""></div></blockquote><div><br class=""></div><div>Wired takes the argument to a different level, even if the general idea isn't new. Basically, passwords need to go the way of Flash and die. Instead of diving into the math of brute force attacks directly on the password itself, he spends most of the article exploring avenues around your password.</div><div><br class=""></div><div><a href="http://www.wired.com/2012/11/ff-mat-honan-password-hacker/" class="">http://www.wired.com/2012/11/ff-mat-honan-password-hacker/</a></div><div><br class=""></div></div></body></html>