this is a belated answer to the password discussion and what counts as a secure password. there was a recent paper at ccs on why entropy based metrics (or for that matter most other universal metrics) do not provide formulas for secure passwords, since the attacker models cannot be foreseen. the authors state in their conclusion: Our experiments categorically show that the notion of password entropy, as put forward in the NIST SP800-63 document, does not provide a valid metric for measuring the security provided by password creation policies. This is not to cast dispersions at the rest of the SP800-63 document which is otherwise of the highest quality. Furthermore, we validated the findings in [7], using empirical evidence, that there is no way to convert the notion of Shannon entropy into the guessing entropy of password creation policies. the author has since written some further blog posts discussing the results: http://reusablesec.blogspot.com/2010/10/new-paper-on-password-security-metri... nevertheless, knowing the most popular passwords is probably in itself important feedback to any "root", if not non-root users, cheers, s. Message: 2 Date: Thu, 4 Nov 2010 00:30:59 +0100 From: Sari <angyjoe@gmail.com> To: air-l@listserv.aoir.org Subject: Re: [Air-L] Fwd: most popular passwords Message-ID: <AANLkTinwtg8L-t-kPBWUOUecNfHGz0CW9vzjP5xHbRmC@mail.gmail.com> Content-Type: text/plain; charset=windows-1252 I just love the password generator http://keepass.info/screenshots/pwgen_big.png in Keypass. You can easily get a password that is strong enough (in bits please, NOT in number of symbols) to remain secure over your entire life time? I know, you won't be able to remember it (of course, I don't), but you can always save it in an encrypted Keypass database. For portability, copy that database to your memory stick. Lose you memory stick (I did)? No problem, since the database is safeguarded under AES 256 bit. AES might not stay safe for a long time to come though, see the recent: http://portal.acm.org/citation.cfm?id=1713127 /Sari Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm