POLL: Should I change servers?

[Mr. Scram]

Actually that "then you must use relatively weak passwords because they must be memorable as must the user identifiers"  is wrong.  There is a way and newer papers have been coming out on it.  You use random but associable words along with a symbol/number or two mixed in.  This produces very high entropy while still being able to be used by most humans.  Really good read if you search for it.  I used to think like you do..  now this does have a flaw in in big data can really weaken it due to predicting human patterns at large.. kinda like Hunter2 but if you can train people away from those patterns and into using a more random but remember-able state.. it does work wonders.  Least for now.

Passphrases aren't ideal. A dictionary attack will greatly reduce the entropy of one and the fact that people permutate words in fairly predictable ways only exacerbates the issue.

The underlying problem is that people are terrible at being properly random. On paper a passphrase yields a huge entropy, but human behaviour ruins that.

[Zucca]

Any updates?

[gnif]

We should be going live later this week, I have had to give priority to paid work.

[Ampera]

We should be going live later this week, I have had to give priority to paid work.

Excited to see how it all works out. Good work gnif!

[kulla]

Holding thumbs crossed that migration goes well, as I know how migrations works

I know you don't need it but in case you need any help from fellow sysadmin regarding nginx or anything else I'm all yours.

[helius]

You completely dodge the point that if you don't use a password manager then you must use relatively weak passwords because they must be memorable as must the user identifiers. One of my password stores contains 98 passwords, the other contains 110. They almost all have completely random passwords with 48 bits minimum entropy and most of the user identifiers are also random strings (or email address with random user parts) with a minimum of 48 bits of entropy. That's a lot of entropy, certainly more that anyone normal could remember.

"Must" is too strong. Have you never seen one of these?

You don't even have to write down the random letters you use, you can use letters picked (systematically) from a novel or other book. The mind is a critical keystore (it's the only one that requires your volition to unlock it) but it should be used to key into larger sets of data.

[Cerebus]

You completely dodge the point that if you don't use a password manager then you must use relatively weak passwords because they must be memorable as must the user identifiers. One of my password stores contains 98 passwords, the other contains 110. They almost all have completely random passwords with 48 bits minimum entropy and most of the user identifiers are also random strings (or email address with random user parts) with a minimum of 48 bits of entropy. That's a lot of entropy, certainly more that anyone normal could remember.

"Must" is too strong. Have you never seen one of these?

You don't even have to write down the random letters you use, you can use letters picked (systematically) from a novel or other book. The mind is a critical keystore (it's the only one that requires your volition to unlock it) but it should be used to key into larger sets of data.

How strange to post an image of a notebook, but to omit to quote the last paragraph of what I wrote:

All the people I know or know of in the infosec business recommend using a password manager, and wherever possible using non-memorable random passwords. Bruce Schneier even once went so far as to say that you should write strong passwords down on paper in preference to using ones that are memorable but weak.

In case you don't recognise the name, Bruce is possibly the foremost cryptologist regularly writing for consumption by the general technical community. He was one of the submitters, and finalists, for both NIST competitions that led to AES and SHA-3. When someone of that calibre offers advice I'm going to listen to them.

[helius]

I subscribe to the belief that you needn't read everything someone has ever said to understand one sentence. The consequence of this belief is that if you start your message with a falsehood, I will not read it to the end.

[Cerebus]

I subscribe to the belief that you needn't read everything someone has ever said to understand one sentence. The consequence of this belief is that if you start your message with a falsehood, I will not read it to the end.

  Unbelievable ...

[Zucca]

Are we now riding on the new beast?

[Monkeh]

Are we now riding on the new beast?

For some time. Only minor bumps in the road.

[bitseeker]

Excellent!