While most of the advice here is good, some of it is just garbage.
Using familiar structures like phone numbers, file paths, or emails is a great way to improve the likelihood that your password can be guessed -- not cracked, just GUESSED. After a couple of days of use, a skilled typist can enter Dj#wP3M$c just as fast as anything else.
The example of replacing "j0hn" with "j()hn" is a terrible one. If a cracker is going around replacing o with 0, why wouldn't they also replace o with ()? Parentheses are harly any more unpredictable than numbers are. Better to stay away from names and words (or words with a few simple substitutions) entirely.
Using familiar structures like phone numbers, file paths, or emails is a great way to improve the likelihood that your password can be guessed -- not cracked, just GUESSED. After a couple of days of use, a skilled typist can enter Dj#wP3M$c just as fast as anything else.
The example of replacing "j0hn" with "j()hn" is a terrible one. If a cracker is going around replacing o with 0, why wouldn't they also replace o with ()? Parentheses are harly any more unpredictable than numbers are. Better to stay away from names and words (or words with a few simple substitutions) entirely.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1554/637#637