Wolfgang Leithner wrote:
Am Tuesday 01 August 2006 17:09 schrieb suse@rio.vg:
In principle, that's a good advice, but most people, besides not beeing able to spell correctly (or even incorrectly), can't remember HOW they misspelled their passphrase. The end is: they write it down. But using a phrase, or the first letters of all the words in this phrase or something equally irritating ;), seems to be the better choice (better as to make them change their pwd every so often)
Well, just spell the passphrase correctly. What wrong with that? My Bears example may have been a bit culture-centric to here in the States. For someone who likes Edgar Allan Poe, you could have "Quoth the Raven, Nevermore" or someone who liked Moby Dick "Call me Ishmael.". Or for someone who likes American Idol: "Simon is a real Jerk!" Or for a classical musician: "A Flute Player is a Flautist" (which I found out recently) The key is for the user to come up with it themselves, or at least tailor it to them. If someone speaks another language, use that. With a highly variable number of characters, dictionary attacks become exponentially more difficult, even if you stick to fairly straghtforward language. Rather than go for numbers, I'll try to include a word that is rare or at least uncommon, and capitalization that is natural, but difficult for a computer to guess, and throw in a punctuation somewhere for good measure.
Here I must contradict you: about every two to three weeks some machine or other starts dict attacks on any number of my firewalls. The logs are full of "unknown user" and "wrong password" lines in rapid succession.
Oh, yes, I get those every day. However, look at them more closely. I haven't had a single case in several years where the same username was tried over and over. They'll knock on the ssh port trying a whole bunch of usernames, but only one or two passwords, and usually no password at all.