I tried to read this as a user would. And you lost me when you started with a=@, b=6... It doesn't matter whether you can explain it -- it looks like goobledegook to a user, who in the best case will skip down to read the explanation part later (if ever). But what's further down requires that you had a perfect understanding of the above, else it just makes the user feel stupid and alienated. Heck, it looked awfully technical to ME, and I read and write hex like a native.

And, trust me, you're not helping them all that much either, with that k3w15p3@k obfuscation part. Both Crack and john the ripper will use s/@/a/ type rules as part of the cracking, just to catch those who are lulled into a false sense of safeness by doing just this.

Oh, and you might want to redo the initial password example. # is a character that has special meaning and even if legal in the password may create problems for other apps (like mail apps and ppp logins) where the password is kept in plaintext in a line that allows #-to-the-end-of-line comments. This has caused quite a few sysadmins quite a bit of troubleshooting headache over the years, and you're not helping here.
"#" (and to a lesser degree ";") should be avoided unless you know it will NOT cause problems.

Otherwise, good try. Just simplify it. Then simplify it again. Run it through a voice output program -- if it doesn't make sense then, simplify it even more.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/245/26494#26494