[ale] evernote security breach

Jay Lozier jslozier at gmail.com
Mon Mar 4 21:38:49 EST 2013


On 03/04/2013 07:56 PM, JD wrote:
> On 03/04/2013 06:54 PM, Jay Lozier wrote:
>> I tend to use very long gibberish passwords (Keypassx) that include any keyboard
>> character including punctuation. I consider 15 characters unacceptably short.
> This.
>
> KeePass v1.x on Windows
> KeePassX on Linux
> KeePassDroid on Android
>
> they all share the same binary DB.  Easy to rsync everywhere, though I suppose
> if you trust 3rd parties, something like dropbox could do it too.
>
> If I am not going to type the password, and I don't with KeePass - why not use
> something long, random, unique, if it is allowed?  My default is 44 chars. Only
> after that is rejected and I carefully read the requirements will I limit the
> alphabet.
>
> I consider anything less than 20 characters weak.
>
> Look up "Pure Hate's password cracking" presentation and you'll never use
> anything less than 15 characters again.
>
> My passwords are not just for today, but I'm trying to be reasonably secure for
> that data for the next 20 yrs.  People are recording and saving encrypted
> traffic today to be cracked in the future.  They are working on encrypted
> traffic from 15 yrs ago now - AND being successful.
>
My opinion is that, with sufficient time, any password is crackable I 
just want them hard enough that my passwords will take years or decades 
with current capabilities and should be good for several years. Also, 
with every site have its own very long password if you get one of my 
passwords you do not endanger any other accounts. Since most people 
reuse relatively weak passwords I am relatively safe if some gets one of 
my passwords. By the time they probably crack the password I may have 
changed it, closed the account, etc.

-- 
Jay Lozier
jslozier at gmail.com



More information about the Ale mailing list