Garrett Wollman wollman@bimajority.org
Thu Mar 31 09:47:41 EDT 2011

<<On Thu, 31 Mar 2011 09:24:36 -0400, Richard Chonak <rac@gabrielmass.com> said:

> My example would be better with  even modest changes, such as
> "cha$nneL-40+minuX-2",

This actually adds almost nothing over the original password.

> To go further, one can add accented characters or foreign alphabet
> letters.  (Though with the foreign alphabets the password may not be
> usable on some phones.)

To go further, one obvious thing that far too few people ever consider
is whitespace.  Control characters are also usable in many
circumstances but very difficult to enter.

One important thing to keep in mind, so long as we're talking about
password construction: no competently designed system provides more
information about a failed login than necessary.  There's no way for
an attacker to try a password and get back "almost right" as an
answer.  (It turned out that this was possible on some early systems
from the 1970s, including TENEX if memory serves me correctly, so this
lesson has been known for a very long time now.)  For this reason, I'm
somewhat dubious of the "entropy" analysis of passwords -- but I'll
still follow their advice anyway.


More information about the Boston-Radio-Interest mailing list