<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">Mike Warfield wrote:</div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><div style="font-size: 12pt; font-family: Helvetica, Arial, sans-serif;">> The passwords where hashed and salted but simple </div><div style="font-size: 12pt; font-family: Helvetica, Arial, sans-serif;">> passwords are still subject to off-line brute force and </div><div style="font-size: 12pt; font-family: Helvetica, Arial, sans-serif;">> rainbow table attacks. </div></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><font face="arial, helvetica, sans-serif" size="3">I thought the whole point of salting was to prevent rainbow tables. They don't go into details of their salting scheme, but assuming they used a separate random 32 character salt for each user, wouldn't that eliminate the effectiveness of rainbow tables? Of course, brute-force is still a big issue here, especially with these multi-graphics-card boxes they have now, but I thought salts were used pretty much for the sole reason of thwarting rainbow tables.</font><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">By the way, as for thwarting the hash-cracking boxes, I found this "Security Now!" talk from 1/23/2013 on "Memory Hard Problems" interesting: http://www.grc.com/sn/sn-388.htm .</div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">I use the Linux pwgen command for generating long passwords I don't need to remember, i.e., situations where a long password is needed for one service to talk to another service, and the password will be stored in a conf file on the client. If I need to create a password to tell someone over the phone, I made a script that has this one line:</div><div><font face="arial, helvetica, sans-serif"> echo $(shuf /var/lib/diceware.wordlist.asc |head -5|cut -d' ' -f2)</font></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">If you Google the base filename, it'll come right up. The cut -d param is a tab. This is along the lines of the famous xkcd method linked to in this thread by Richard Bronosky.</div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">Regarding the sites that block passwords based on a dictionary word--I wonder if you took the set of all possible passwords of a certain length and eliminated all the ones that cracklib rejects, if you wouldn't end up with a smaller set than the ones you kept! ;-) I don't know if certain particular sites were specifically using cracklib, but they seem to reject an awful lot of complex passwords.</div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">Considering they should be only storing a hashed version of your password (+salt) which will come out to the same length no matter how long your password is, there's really no excuse for a website limiting the max length or content of your password.</div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div><font face="arial, helvetica, sans-serif" size="3">My other pet-peeve is how so many ridiculous websites ask you these personal questions, like your mother's maiden name, your first pet, etc. It made a certain amount of sense back when it was just your bank or credit card, but I can't stand all these newspapers, blogs, email providers, vendor websites, etc., asking these questions and usually 2, 3, or more. If you play along, it just means there's the possibility (</font><font face="arial, helvetica, sans-serif">likelihood</font><font face="arial, helvetica, sans-serif" size="3">?) of some massive database being created with your answers to all these questions. With very few exceptions, I answer nonsense to these questions. OMG! What if I've permanently lost my password to my free Podunk Daily Times login! Oh yeah, I'll create a new one or go without. Of course, those are the sites that require a 12 character password with 3 symbol, 2 numbers, a chinese character, and a random dance move. </font></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: arial, helvetica, sans-serif; font-size: 12pt;">Scott<br><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><br></div></div></div></body></html>