From: Technomage Hawke > was that a comic page? I tried to find more than the apology there > for the arguments about password security but I was confronted > with the bane of every blind person: images that aren't > descriptive. Take a reasonably common password, like "troubaD0r&3". There are about 28 bits of entropy in that password; 11 for a reasonably random dictionary word, a few extra for replacing chars with numbers, a few extra for having a capital letter, and a few more for a random punctuation char and a number. 2^28 bits of entropy at 1000 guesses per second = 3 days to crack the password. And it's hard to remember. Was it trombone? Or troubador? And which O was a zero? And there was some symbol.... Take a different password, like "correct horse battery staple". 4 common English words, in a random order. This is 44 bits of entropy. 2^44 bits of entropy at 1000 guesses per second = 550 years. So it's hard to guess. Is it easy to remember? You've already memorized it! Through 20 years of effort, we've trained people to use passwords that are hard for humans to remember, but comparatively easy for machines to guess. This is not entirely serious (big surprise in a comic strip!) Some systems have a max password length, and the number of bits of entropy in those passwords is very open to debate. This didn't stop me from writing "correcthorsebatterystaple.php", which picked 20 random words from /usr/share/dict/words and spat them to stdout. What do you mean "viridian Syria cacomixl devilfish" isn't going to work on older Active Directory systems? Also, if you have to type in a password ~50 times a day, it's easier if it's short. -- Matt G / Dances With Crows The Crow202 Blog: http://crow202.org/wordpress/ There is no Darkness in Eternity/But only Light too dim for us to see --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss