![](https://seccdn.libravatar.org/avatar/10493b71e80351a2de38c2b17a50f73f.jpg?s=120&d=mm&r=g)
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Tuesday 2008-05-20 at 19:26 -0400, Washington Irving wrote:
The idea is that the number of passwords which need to be tried to guaranteed success in a brute force attack is:
CharacterSetSize ** PasswordLength
By forcing the user to expand beyond 26 lowercase letters, to include upper case, numerals, and punctuation characters, the Character set size expands from 26 to 94
So, change to hexadecimal passwords, made with a random generator. Char set size = 255
Have fun typing values greater than 127
:-P
More seriously, though, for some time I had to enter a login password composed from some digits taken from a little gadget that displayed a pin number that changed every minute (and different for every employee), and a remembered pin: the combo is not guessable nor breakable by brute force. They need to steal the gadget and force the pin out of the user.
However, if you force users to create very difficult passwords, they will have to write them up, and that's a worse liability than relatively weak passwords.
What I do is this... I have a "standard" part to all of my passwords -- it's based on a password which I used back in college for several years -- back before machines were fast enough to do a brute-force attack on an 8-character password in less than a month, and even then, I was using a passphrase rather than trying to use a word of letters. Anyways, when I have to have an extremely long password which I can't remember... I write down the other part, but omit my "standard" string. This way, even if someone finds my password cheat sheet...they still don't have my passwords. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org