On Sat, Sep 02, 2017 at 09:33:10AM -0500, Mario Castelán Castro wrote:
> On 01/09/17 22:33, Zenaan Harkness wrote:
> > I am not mathematically literate enough to even properly parse that
> > sentence!
>
> Here (and through the rest of your message) you are admitting that you
> do not understand th
On Sat 02 Sep 2017 at 20:58:13 +0200, Thomas Schmitt wrote:
> Brian wrote:
> > I think you had a provider's compromised database in mind when you wrote
> > this.
>
> Yes. That's the way how an attacker can get the biggest harvest
> and also the risk which you cannot influence from remote.
True.
Hi,
Brian wrote:
> I think you had a provider's compromised database in mind when you wrote
> this.
Yes. That's the way how an attacker can get the biggest harvest
and also the risk which you cannot influence from remote.
> An attacker would be limited by his imagination and monetary and
> time
esn't necessarily
mean any of them need write passwords in the clear though. The
important thing is to come up with a system and stick with that system.
On Sat, 2 Sep 2017, Brian wrote:
Date: Sat, 2 Sep 2017 13:10:47
From: Brian
To: debian-user@lists.debian.org
Subject: Re: One-line password
On Sat 02 Sep 2017 at 12:52:32 +0200, Thomas Schmitt wrote:
> Jude DaShiell wrote:
> > We have a 20 character password here with at least two of each kind of
> > symbol in it lowers uppers numbers and symbols.
>
> If you produced it by a quite random method then my only potential
> criticism woul
On 01/09/17 22:33, Zenaan Harkness wrote:
> On Fri, Sep 01, 2017 at 09:38:14PM -0500, Mario Castelán Castro wrote:
>> No. Entropy is the appropriate word. Please recall that “entropy” is
>> just a different scale
>
> Use of the word "scale" is one example of things that lead people to
> use loose
Hi,
Jude DaShiell wrote:
> We have a 20 character password here with at least two of each kind of
> symbol in it lowers uppers numbers and symbols.
If you produced it by a quite random method then my only potential
criticism would be the question how you memorize it without the risk
that it gets
that this would be effective, but it does seem
plausible.
On Fri, 1 Sep 2017, Thomas Schmitt wrote:
Date: Fri, 1 Sep 2017 17:44:09
From: Thomas Schmitt
To: debian-user@lists.debian.org
Subject: Re: One-line password generator
Resent-Date: Fri, 1 Sep 2017 21:44:44 + (UTC)
Resent-From: d
On 01/09/17 18:43, Zenaan Harkness wrote:
> (Probably obvious, but as long as you're reading from urandom,
> "entropy" is the wrong word, in this context, better to say "128 bits
> of crytographically secure numbers" as that which has been said e.g.
> by the Linux kernel urandom developers as being
On Fri, Sep 01, 2017 at 09:38:14PM -0500, Mario Castelán Castro wrote:
> On 01/09/17 18:43, Zenaan Harkness wrote:
> > (Probably obvious, but as long as you're reading from urandom,
> > "entropy" is the wrong word, in this context, better to say "128 bits
> > of crytographically secure numbers" as
On Fri, Sep 01, 2017 at 08:46:33PM +0100, Brian wrote:
> On Fri 01 Sep 2017 at 09:58:19 -0500, Mario Castelán Castro wrote:
>
> > On 22/08/17 10:04, Mario Castelán Castro wrote:
> > > I have the following line in my Bash init file:
> > >
> > > “alias gen-password="head -c 16 /dev/urandom | base64
On Fri, Sep 01, 2017 at 09:58:19AM -0500, Mario Castelán Castro wrote:
> On 22/08/17 10:04, Mario Castelán Castro wrote:
> > I have the following line in my Bash init file:
> >
> > “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"”
> >
> > This generates a password with
Hi,
Brian wrote:
> Here is a password
> F!Vz5s19WuXa61PaA"+5
> Where does the password come from? It doesn't matter.
But that's the cardboard backplane of the passwords which a human brain
can memorize: They have an origin or a memory hook.
Long passwords from a good random number generator a
On Fri 01 Sep 2017 at 09:58:19 -0500, Mario Castelán Castro wrote:
> On 22/08/17 10:04, Mario Castelán Castro wrote:
> > I have the following line in my Bash init file:
> >
> > “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"”
> >
> > This generates a password with jus
On 22/08/17 10:04, Mario Castelán Castro wrote:
> I have the following line in my Bash init file:
>
> “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"”
>
> This generates a password with just above 128 bits of entropy. You may
> find it useful.
A slight simplification:
Hi,
i forgot to emphasize that each user should generate an own salt value by
$ python
>>> bcrypt.gensalt(16)
'$2a$16$MS6A6ZrsJ30ZdqHVCMWMm.'
and put it into the bcrypt call of bcryptedpw.py
p = bcrypt.hashpw(userpw, '$2a$16$MS6A6ZrsJ30ZdqHVCMWMm.')[-31:]
If many users would use the sa
Hi,
i made a test program from the SHA512 function of libjte, which stems from
GNU C Library version 2.7 and is used for Jigdo ISOs. A loop of 10 million
calls with a text of 80 characters, compiled -O2, ends after 4.088 seconds.
That's about 2 exp 23 times faster than python-bcrypt with 2 exp 16
Hi.
On Thu, Aug 31, 2017 at 08:00:54PM +0100, Brian wrote:
> On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote:
>
> > On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote:
> > 'Us'? Do not speak for all the list please.
>
> It is a construct; intended to involve everyone in the conversat
> From: a...@cityscape.co.uk
> To: debian-user@lists.debian.org
>
> On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote:
>
>> On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote:
>> "Us"? Do not speak for all the list please.
>
> It is a construct; intended to involve everyone in the conversation.
On Wed 30 Aug 2017 at 00:59:15 +0300, Reco wrote:
> On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote:
> 'Us'? Do not speak for all the list please.
It is a construct; intended to involve everyone in the conversation.
> Admit that you just did not read the pdf.
It is not concerned with onli
Hi,
Brian wrote:
> the crackers would likely not be in possession of a leaked password
> (Uld4dFpYSkdkV1J3ZFdOclpYSUsK) but of a hash of it.
That's why i did not claim to be able to decipher such things but rather
mentioned that the name is celebrity enough to be quickly enumerated.
The next two
On Wednesday 30 August 2017 10:25:00 Thomas Schmitt wrote:
> Hi,
>
> i wrote:
> > > The reason why this is still not fully reflected by the man page
> > > is not yet uncovered.
>
> Gene Heskett wrote:
> > Maybe a wee bit of security by obscurity? There is that I think in
> > everyones thinking on
On Wed 30 Aug 2017 at 15:47:35 +0200, Thomas Schmitt wrote:
> Gene Heskett wrote:
> > Well, that easy to remember method just went down in flames. Sigh...
>
> That's the first diffuse but significant wisdom we found in this thread:
>
> If you can memorize it without the help of publicly knowabl
On Wednesday 30 August 2017 10:07:09 Greg Wooledge wrote:
> On Wed, Aug 30, 2017 at 09:57:34AM -0400, Gene Heskett wrote:
> > On Wednesday 30 August 2017 09:47:35 Thomas Schmitt wrote:
> > > The reason why this is still not fully reflected by the man page
> > > is not yet uncovered.
> >
> > Maybe
Hi,
i wrote:
> > If you can memorize it without the help of publicly knowable details of
> > your life, then it's too easy to enumerate with nowadays' hardware.
Curt wrote:
> He should've salted it a little.
Sure. I also did not "crack" it by enumeration but by base64 -d after
recognizing the ty
On 2017-08-30, Thomas Schmitt wrote:
> Hi,
>
> Gene Heskett wrote:
>> Well, that easy to remember method just went down in flames. Sigh...
>
> That's the first diffuse but significant wisdom we found in this thread:
>
> If you can memorize it without the help of publicly knowable details of
> you
Hi,
i wrote:
> > The reason why this is still not fully reflected by the man page is
> > not yet uncovered.
Gene Heskett wrote:
> Maybe a wee bit of security by obscurity? There is that I think in
> everyones thinking on this subject. They don't want to price the farm
> so cheap that it will
On Wed, Aug 30, 2017 at 09:57:34AM -0400, Gene Heskett wrote:
> On Wednesday 30 August 2017 09:47:35 Thomas Schmitt wrote:
> > The reason why this is still not fully reflected by the man page is
> > not yet uncovered.
>
> Maybe a wee bit of security by obscurity?
Or you're not reading the current
On Wednesday 30 August 2017 09:47:35 Thomas Schmitt wrote:
> Hi,
>
> Gene Heskett wrote:
> > Well, that easy to remember method just went down in flames.
> > Sigh...
>
> That's the first diffuse but significant wisdom we found in this
> thread:
>
> If you can memorize it without the help of publi
Hi,
Gene Heskett wrote:
> Well, that easy to remember method just went down in flames. Sigh...
That's the first diffuse but significant wisdom we found in this thread:
If you can memorize it without the help of publicly knowable details of
your life, then it's too easy to enumerate with nowaday
On Wednesday 30 August 2017 09:09:49 Thomas Schmitt wrote:
> Hi,
>
> > I hereby challenge this group to crack this passwd:
> > Uld4dFpYSkdkV1J3ZFdOclpYSUsK
>
> Without the claim to be able to do this again:
>
> By enumerating the name "Elmer Fudpucker" (obviously known to the
> internet) and apply
Hi,
> I hereby challenge this group to crack this passwd:
> Uld4dFpYSkdkV1J3ZFdOclpYSUsK
Without the claim to be able to do this again:
By enumerating the name "Elmer Fudpucker" (obviously known to the internet)
and applying base64 twice:
$ echo "ElmerFudpucker" | base64 | base64
Uld4dFpYSk
On Wednesday 30 August 2017 08:11:05 Greg Wooledge wrote:
> On Wed, Aug 30, 2017 at 11:47:24AM +1000, Zenaan Harkness wrote:
> > They don't. You ought not use /dev/urandom for key generation, use
> > /dev/random instead.
>
> The Linux man page disagrees with you. From Debian 9 urandom(4):
>
>
On Wed, Aug 30, 2017 at 11:47:24AM +1000, Zenaan Harkness wrote:
> They don't. You ought not use /dev/urandom for key generation, use
> /dev/random instead.
The Linux man page disagrees with you. From Debian 9 urandom(4):
The /dev/random device is a legacy interface which dates back to a
Hi,
Curt wrote:
> How about TawnyLoveRockefellerIII?
Expect to get mails like:
"Your money account at Blingstergirl.com is empty. Please send 1 million $
and some swimwear photos of you to prove your identity."
Have a nice day :)
Thomas
Hi,
Zenaan Harkness wrote:
> Once again: QUOTE THE ARTICLE!!!
Ouch my eyes. You shout.
If the article puts one of its key statements into a diagram, then
i cannot quote that directly as text, but only re-narrate it.
> Then, QUOTE ME.
> quote PRECISELY
I did this in many lines. Without shoutin
On 2017-08-29, Thomas Schmitt wrote:
>
>> Ok, they have to start somewhere - it might as well be you. :)
>
> Never choose a username that looks like money or sexual exploitability.
How about TawnyLoveRockefellerIII?
--
"Time flies like an arrow. Fruit flies like a banana." Groucho.
On Tue, Aug 29, 2017 at 02:52:10PM +0200, Thomas Schmitt wrote:
> Hi,
>
> Andy Smith wrote:
> > https://www.2uo.de/myths-about-urandom/#experts
>
> So it is about how Daniel Bernstein justifies his claim that it is
> wrong to say:
>
> "we can't figure out how to deterministically expand one 25
On Tue, Aug 29, 2017 at 02:28:01PM +0200, Thomas Schmitt wrote:
> Hi,
>
> now it's not about information technology any more but about math and the
> difficulty to properly discuss a mathematical opinion.
>
>
> Zenaan Harkness wrote:
> > Which myth?
>
> The one denounced by Thomas Huehn's artic
Hi.
On Tue, Aug 29, 2017 at 08:50:53PM +0100, Brian wrote:
> On Tue 29 Aug 2017 at 22:29:41 +0300, Reco wrote:
>
> > Hi.
> >
> > On Tue, Aug 29, 2017 at 08:14:59PM +0100, Brian wrote:
> > > On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote:
> > >
> > > > Brian wrote:
> > >
Hi,
Brian wrote:
> They would never have got to
>my!only"reason£for$living%is^ebay
Unless some group of people is caught with using this scheme.
Of course the attacker needs more computing power than with a camelback
style text that bears no separators out of a set with a few dozen
character
On Tue 29 Aug 2017 at 22:29:41 +0300, Reco wrote:
> Hi.
>
> On Tue, Aug 29, 2017 at 08:14:59PM +0100, Brian wrote:
> > On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote:
> >
> > > Brian wrote:
> > > > I do not have to run faster than the bear, just faster than anyone else.
> >
>
Hi.
On Tue, Aug 29, 2017 at 08:14:59PM +0100, Brian wrote:
> On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote:
>
> > Brian wrote:
> > > I do not have to run faster than the bear, just faster than anyone else.
>
> (Analogies never work. Remind me not to use them again).
>
> >
On Sun 27 Aug 2017 at 21:12:12 +0200, Thomas Schmitt wrote:
> Brian wrote:
> > I do not have to run faster than the bear, just faster than anyone else.
(Analogies never work. Remind me not to use them again).
> According to the article about the successful cracking, it is not so much
> about ho
Hi,
Andy Smith wrote:
> https://www.2uo.de/myths-about-urandom/#experts
So it is about how Daniel Bernstein justifies his claim that it is
wrong to say:
"we can't figure out how to deterministically expand one 256-bit
/dev/random output into an endless stream of unpredictable keys
(this
Hi,
now it's not about information technology any more but about math and the
difficulty to properly discuss a mathematical opinion.
Zenaan Harkness wrote:
> Which myth?
The one denounced by Thomas Huehn's article. Saying that /dev/random
gets fed directly from the entropy pool:
https://www.2
Hello,
On Tue, Aug 29, 2017 at 12:40:48PM +0200, Thomas Schmitt wrote:
> Originally Curt wrote:
> > > > https://www.2uo.de/myths-about-urandom
>
> Zenaan Harkness wrote:
> > Really great myth-debunking article
>
> Up to now i found no credible expert opinion which would clearly
> contradict it.
On Tue, Aug 29, 2017 at 12:40:48PM +0200, Thomas Schmitt wrote:
> Hi,
>
> Zenaan Harkness wrote:
> > I should have wrote "/dev/random should be treated as though it is
> > the input feed to /dev/urandom" (sorry about that).
>
> But that it isn't. The myth model says that it would be.
Which myth?
Hi,
Zenaan Harkness wrote:
> I should have wrote "/dev/random should be treated as though it is
> the input feed to /dev/urandom" (sorry about that).
But that it isn't. The myth model says that it would be. But the
other quite credible info says that its output stems from the pseudo
random number
On Tue, Aug 29, 2017 at 06:49:45PM +1000, Zenaan Harkness wrote:
> I stated:
> > > https://www.2uo.de/myths-about-urandom/structure-yes.png
>
> > > The new situation as stated in
> > > https://www.2uo.de/myths-about-urandom/structure-new.png
> >
> > I always thought (even pre- Kernel 4.8) tha
I stated:
> > https://www.2uo.de/myths-about-urandom/structure-yes.png
> > The new situation as stated in
> > https://www.2uo.de/myths-about-urandom/structure-new.png
>
> I always thought (even pre- Kernel 4.8) that structure-new was how it
> worked. But on the other hand, it's just a diagram
On Tue, Aug 29, 2017 at 09:06:07AM +0200, Thomas Schmitt wrote:
> Hi,
>
> Zenaan Harkness wrote:
> > AIUI /dev/random is simply the input feed to /dev/urandom [...]
I should have wrote "/dev/random should be treated as though it is
the input feed to /dev/urandom" (sorry about that).
> This is w
Hi,
Zenaan Harkness wrote:
> AIUI /dev/random is simply the input feed to /dev/urandom [...]
This is what the article by Thomas Huehn
https://www.2uo.de/myths-about-urandom/
calls a myth, illustrated by diagram
https://www.2uo.de/myths-about-urandom/structure-no.png
Andy Smith stated in
h
On Mon, Aug 28, 2017 at 12:04:51PM +0200, Thomas Schmitt wrote:
> Hi,
>
> Curt wrote:
> > Here's a fresh (20 July of this year) view by Theodore Ts'o:
> > https://lkml.org/lkml/2017/7/20/993
>
> An opinion of substantial weight, indeed.
>
> Nevertheless it would be more interesting to learn the
Hi,
i wrote:
> > I understand that in this situation there is no difference
> > between /dev/random and /dev/urandom.
> > The difference appears only when the assumption of wealth is not fulfilled.
Andy Smith wrote:
> It cannot be "not fulfilled" except in the very early boot sequence.
Well, the
Hello,
On Mon, Aug 28, 2017 at 12:04:51PM +0200, Thomas Schmitt wrote:
> And again, the argumentation of Theodore is that there is always enough
> entropy at hand. I understand that in this situation there is no difference
> between /dev/random and /dev/urandom.
> The difference appears only when
Hi,
Curt wrote:
> Here's a fresh (20 July of this year) view by Theodore Ts'o:
> https://lkml.org/lkml/2017/7/20/993
An opinion of substantial weight, indeed.
Nevertheless it would be more interesting to learn the reason why Linux
did not simply make /dev/random behave like /dev/urandom long ago
On 2017-08-28, Thomas Schmitt wrote:
>
> But i myself have two use cases for (pseudo-)random numbers:
> - Small but hard secrets which i need for security purposes.
> - 3 times 25 GB of random stream to surely shake up the bits on a BD-RE
> medium which previously contained embarassing data.
He
Hi,
Andy Smith wrote:
> The relevant Linux man pages were
> recently updated to clarify that once seeded, /dev/urandom is
> sufficient for any use
> [...]
> https://bugzilla.kernel.org/show_bug.cgi?id=71211
Maybe there are stronger reasons to abandon /dev/random. But that thread
states as only ot
Hello,
On Sun, Aug 27, 2017 at 09:05:41PM +0200, Thomas Schmitt wrote:
> Curt wrote:
> > So this is wrong:
> > https://www.2uo.de/myths-about-urandom/
>
> Dunno. I took my info from the man page.
The article at 2uo.de is correct. The relevant Linux man pages were
recently updated to clarify that
Hi,
Brian wrote:
> I do not have to run faster than the bear, just faster than anyone else.
According to the article about the successful cracking, it is not so much
about how fast you are. The bear will not stop when it is done with eating
those behind you.
It is rather about not to walk the pa
Hi,
Curt wrote:
> So this is wrong:
> https://www.2uo.de/myths-about-urandom/
Dunno. I took my info from the man page.
This article is, at least at its beginnings, very affirmative and fewly
equipped with supporting facts. Mainly "Believe Me !".
The author is a proselyte of urandom, as he confes
On Sun 27 Aug 2017 at 17:08:16 +0200, Thomas Schmitt wrote:
> Hi,
>
> i wrote:
> > > Quite hard
> > > to guess would be if you replace sha256sum by an encryption program with
> > > a key which you successfully keep secret.
>
> Brian wrote:
> > Increasing difficulty in this way looks good to me.
On 2017-08-27, Thomas Schmitt wrote:
>
>
> If your password is not that strong, then you are probably better off with
> Mario Castelán Castro's approach modified by use of /dev/random instead of
> /dev/urandom.
> https://lists.debian.org/debian-user/2017/08/msg01260.html
>
> head -c 16 /dev/ra
On 27/08/17 08:55, Brian wrote:
> Thank you for the detailed explanation. I had already come to some of
> the conclusions in your account but it is good to have them firmly and
> succinctly laid out.
You are welcome.
--
Do not eat animals, respect them as you respect people.
https://duckduckgo.c
Hi,
i wrote:
> > Quite hard
> > to guess would be if you replace sha256sum by an encryption program with
> > a key which you successfully keep secret.
Brian wrote:
> Increasing difficulty in this way looks good to me. Thanks. I would most
> certainly hope I could keep the key secret.
Now you wou
On Sat 26 Aug 2017 at 21:14:35 -0500, Mario Castelán Castro wrote:
> On 26/08/17 13:25, Brian wrote:
> > How does this
> >
> > echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1
> >
> > compare with your recommendation?
>
> I do not see the point in this post-processing.
>
>
On Sat 26 Aug 2017 at 21:15:37 +0200, Thomas Schmitt wrote:
> Hi,
>
> Brian wrote:
> > echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1
>
> The quality criterion is the ease or difficulty to guess the 'secretpassword'
> by a skilled enumerator and the fact whether your attacke
On Sat 26 Aug 2017 at 20:07:34 +0100, Brian wrote:
> On Sat 26 Aug 2017 at 20:37:01 +0200, Nicolas George wrote:
>
> > Le nonidi 9 fructidor, an CCXXV, Brian a écrit :
> > > echo 'secretpassword' |
> >
> > echo 'secretpassword site-name'
> >
> > > sha256sum - | base64
> >
On 26/08/17 13:25, Brian wrote:
> How does this
>
> echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1
>
> compare with your recommendation?
I do not see the point in this post-processing.
It seems that you have a very wrong impression of what makes a password
generation schem
Hi,
Brian wrote:
> echo 'secretpassword' | sha256sum - | base64 | cut -c -30 | head -1
The quality criterion is the ease or difficulty to guess the 'secretpassword'
by a skilled enumerator and the fact whether your attacker knows the rest
of your processing pipeline.
If your secretpassword itsel
On Sat 26 Aug 2017 at 20:37:01 +0200, Nicolas George wrote:
> Le nonidi 9 fructidor, an CCXXV, Brian a écrit :
> > echo 'secretpassword' |
>
> echo 'secretpassword site-name'
>
> >sha256sum - | base64
>
> Very bad: since sha256sum outputs its result in hexadecimal, it o
Le nonidi 9 fructidor, an CCXXV, Brian a écrit :
> echo 'secretpassword' |
echo 'secretpassword site-name'
> sha256sum - | base64
Very bad: since sha256sum outputs its result in hexadecimal, it only has
half the entropy it seems to have. The same thing with Perl's
Diges
On Tue 22 Aug 2017 at 10:04:59 -0500, Mario Castelán Castro wrote:
> I have the following line in my Bash init file:
>
> “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"”
>
> This generates a password with just above 128 bits of entropy. You may
> find it useful.
How
On 25/08/17 13:44, Thomas Schmitt wrote:
>> I will justify my claim of incompetence.
>
> So that it does not look like an intentional insult ?
This is plain and simply my reason is to avoid further discussion about
cryptography with you.
I did not write this with the purpose of making an insult,
On 25/08/17 12:15, Thomas Schmitt wrote:
>> Also, the theoretical vulnerability described in that man page is far
>> fetched.
> It is a mathematical fact. If you take a few theoretically unpredictable
> bits and inflate them to 128 bits, then the added size is no entropy,
> although it might be har
On 25/08/17 12:11, Brian wrote:
>> Unless you have a good reason to think otherwise (e.g. *you* manage the
>> web site and you know you are doing a good job), you should assume that
>> the data-base with hashes passwords will leak without the system
>> administrators noticing, and then an attack ca
On 25/08/17 11:51, Brian wrote:
> However, users use passwords to log into accounts *online* and those
> passwords are devised to withstand an *online* attack (of 100 tests per
> second maximimum(?)). This is the only aspect a user can completely
> control and many make a good job of it. Passwords
Hi,
> You say that pseudo-random number generators can not add entropy and
> this is a mathematical fact. This is true, and irrelevant.
> [...
> lots of algebraic terms about the difficulty to revert the
> mapping which produces the pseudo-random redundancy
> ...]
The attack described in the ar
On Fri 25 Aug 2017 at 12:14:18 -0500, Mario Castelán Castro wrote:
> On 25/08/17 12:11, Brian wrote:
> >> Unless you have a good reason to think otherwise (e.g. *you* manage the
> >> web site and you know you are doing a good job), you should assume that
> >> the data-base with hashes passwords wi
On 25/08/17 09:46, Thomas Schmitt wrote:
> Mario Castelán Castro wrote:
>> In principle, yes, but in practice, not at all. File compressors [...]
>
> I wrote "estimate", "approximation", and "best possible compression".
> Of course gzip is not a very good approximation even if one subtracts the
>
Hi,
Mario Castelán Castro wrote:
> My point is that there is no way to make a
> reasonable approximation to the Kolmogorov complexity of a password.
That's my point, too. Although i use the terms "information" and "entropy".
> To recap: Real-life file compressors can not be used to estimate th
On Fri 25 Aug 2017 at 11:55:01 -0500, Mario Castelán Castro wrote:
> On 25/08/17 11:51, Brian wrote:
> > However, users use passwords to log into accounts *online* and those
> > passwords are devised to withstand an *online* attack (of 100 tests per
> > second maximimum(?)). This is the only aspec
On Fri 25 Aug 2017 at 08:40:35 +, Curt wrote:
> On 2017-08-25, David Wright wrote:
> >
> > Unless you have accounts¹ that invite break-in attempts², the main
> > thing to resist offline cracking is to have better passwords than
> > your neighbours, just like security against burglary. Once a
On 25/08/17 04:21, Thomas Schmitt wrote:
> One can estimate entropy by an approximation of the best possible
> compression in the context of the knowledge of the reader.
> The compression result will generally be longer if the compressor has
> fewer knowledge about the message.
In principle, yes,
Hi,
i wrote:
> > One can estimate entropy by an approximation of the best possible
> > compression in the context of the knowledge of the reader.
Mario Castelán Castro wrote:
> In principle, yes, but in practice, not at all. File compressors [...]
I wrote "estimate", "approximation", and "best p
Hi,
Curt wrote:
> https://xkcd.com/936/
Well, this is a joke for mathematicians. ROFL et.al.
> https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
... and this lines out why the other is so funny.
So what is the reason why
IhaveaMemora
On 2017-08-25, David Wright wrote:
>
> Unless you have accounts¹ that invite break-in attempts², the main
> thing to resist offline cracking is to have better passwords than
> your neighbours, just like security against burglary. Once a suitable
> proportion of passwords have been cracked, which w
On Thu 24 Aug 2017 at 18:42:47 (+0100), Brian wrote:
> On Wed 23 Aug 2017 at 18:06:49 -0500, Mario Castelán Castro wrote:
> > On 23/08/17 14:11, Brian wrote:
> > > "Probably" is probably good enough. The probability of either of the two
> > > previous passwords being deduced from pure guessing is
On Wed 23 Aug 2017 at 18:06:49 -0500, Mario Castelán Castro wrote:
> On 23/08/17 14:11, Brian wrote:
> >> As for the scenario where the password is compromised and that leads to
> >> somebody posting slander in one behalf, that can happen without any need
> >> for password cracking. Anybody can cr
On 23/08/17 14:11, Brian wrote:
>> As for the scenario where the password is compromised and that leads to
>> somebody posting slander in one behalf, that can happen without any need
>> for password cracking. Anybody can create a profile in a social network
>> pretending to be you with the intentio
On 08/24/2017 02:11 AM, Brian wrote:
> You should never reveal how your passwords are generated. In detail,
> that is; in principle there might be no harm done.
But how do you know how much you can reveal about it until there is real
harm done? You can't really know for sure how much entropy your
You certainly didn't upset my appetite! As a Linux user since the
mid-Ninties I can only say how on a daily basis I am increasingly impressed
by, and grateful for, the very supportive Linux (in particular the Debian
- since that is my favourite distribution) community.
In particular I understand
One thing is for sure, with the good ol'boyz club of developers and
ex-developers there is
no room on this list for /users
Which proves my theory that it is insiders of the linux community that make it
so hostile
for the rest of the world, due to their insecurity their good ol'boy club will
col
On Tue, Aug 22, 2017 at 8:20 PM, Mario Castelán Castro
wrote:
I ask the user for a fairly long line in a song, or maybe a poem, that
they know or can learn. Something like the third line of a 19th
century translation of Homer's Odyssey.
I use the first letter, randomly upper-cased if necessary,
On 23/08/17 11:57, Brian wrote:
>> If you do not care about security, you could generate a single 4
>> character bit block with my method and save typing.
>
> One online password checker (not that I understand how it works or even
> trust it) gives
>
> IhaveaMemorablePasswordwhichIwillnotforget!
On Wed, Aug 23, 2017 at 03:23:50PM -0400, Greg Wooledge wrote:
> On Wed, Aug 23, 2017 at 01:16:56PM -0600, Aaron Toponce wrote:
> > Three POSIX-compliant shell functions that rely on no extra utilities
> > shuff () {
> > if [ $(command -v shuf) ]
>
> Needs quotes.
Good catch.
> >
On Wed, Aug 23, 2017 at 01:16:56PM -0600, Aaron Toponce wrote:
> Three POSIX-compliant shell functions that rely on no extra utilities
> shuff () {
> if [ $(command -v shuf) ]
Needs quotes.
> shuffle -f /dev/stdin -p "$1"
/dev/stdin is not POSIX-compliant.
> else
On Tue, Aug 22, 2017 at 10:04:59AM -0500, Mario Castelán Castro wrote:
> I have the following line in my Bash init file:
>
> “alias gen-password="head -c 16 /dev/urandom | base64 | head -c 22 && echo"”
>
> This generates a password with just above 128 bits of entropy. You may
> find it useful.
T
On Wed 23 Aug 2017 at 12:58:19 -0500, Mario Castelán Castro wrote:
> On 23/08/17 11:57, Brian wrote:
> >> If you do not care about security, you could generate a single 4
> >> character bit block with my method and save typing.
> >
> > One online password checker (not that I understand how it wor
1 - 100 of 119 matches
Mail list logo
