I was beside myself with glee to learn after all these years that Steve uses the same password generating technique that I do. Making up nonsense words (with additional numbers and characters). I've long suspected that he might be the sort of guy who makes up silly words (diddly doodly).
A couple thoughts: Some of my old nonsense words are too short by today's standards. Also, some of the words we might think are our own creations might really be something from an old TV show we remember from childhood (e.g. ack-acka-dack-dack-dacka-ack).
But this brings me around to where I keep getting mixed up. (I hope I'm using the right terminology) If my password can be 65 characters, upper/lower case, numbers and specials then the search space is very large. If my password is combined with a unique, used only once, pseudo-random Salt and hashed properly, then it's existence in a precomputed Rainbow Table is (highly) unlikely.
If an attacker gains access to a company's collection of properly encrypted passwords, and she singles out the hash that corresponds to mine, she would not only have to guess my password in it's entirety, but also the salt. In other words, wouldn't the hash of "monkey1234" look as much like gibberish as on of GRC's Perfect Passwords? I don't understand how Leo's comment about frequency analysis would factor in, unless the attacker could go character by character. Obviously she will try "monkey1234" long before a Perfect Password. But in a bizarro world where monkeys don't exist (Like in German).
Chapter 8 from Jasper van Woudenberg and Colin O'Flynn's book, The Hardware Hacking Handbook, is available for free from No Starch. If I understand what they're saying, then you can go character by character in a timing or power analysis attack. But that's not what an attacker who grabs a password list from LazySecurity-dot-Com would be doing, is it?
A couple thoughts: Some of my old nonsense words are too short by today's standards. Also, some of the words we might think are our own creations might really be something from an old TV show we remember from childhood (e.g. ack-acka-dack-dack-dacka-ack).
But this brings me around to where I keep getting mixed up. (I hope I'm using the right terminology) If my password can be 65 characters, upper/lower case, numbers and specials then the search space is very large. If my password is combined with a unique, used only once, pseudo-random Salt and hashed properly, then it's existence in a precomputed Rainbow Table is (highly) unlikely.
If an attacker gains access to a company's collection of properly encrypted passwords, and she singles out the hash that corresponds to mine, she would not only have to guess my password in it's entirety, but also the salt. In other words, wouldn't the hash of "monkey1234" look as much like gibberish as on of GRC's Perfect Passwords? I don't understand how Leo's comment about frequency analysis would factor in, unless the attacker could go character by character. Obviously she will try "monkey1234" long before a Perfect Password. But in a bizarro world where monkeys don't exist (Like in German).
Chapter 8 from Jasper van Woudenberg and Colin O'Flynn's book, The Hardware Hacking Handbook, is available for free from No Starch. If I understand what they're saying, then you can go character by character in a timing or power analysis attack. But that's not what an attacker who grabs a password list from LazySecurity-dot-Com would be doing, is it?