frustrate shouldservers

Janina Sajka janina at
Fri Feb 3 17:25:20 UTC 2017

This has been a very good thread.

I have one additional suggestion which is to add something you
personally know, but that could not be guessed very easily, nor exposed
by a dictionary attack.

I find alternative, non standard phonetic spellings helpful this way.
Even better are obscure, obsolete spellings of place names, people,
objects, or concepts, particularly
if the source language isn't English.

On its own this strategy is insufficient, of course. But two or three
such terms, plus the hashing described below, builds up a good password,

Of course, it's also important to employ available technology to thwart
scripted attacks, e.g. with applications like denyhosts or fail2ban.
Also, if you don't need to be open to access from the general public,
move to IPv6 and shutdwon as much IPv4 access as possible. Anyone who
has external access to any of my machines understands they need to come
in via IPv6, because I'm not listening for connections on IPv4.
Obviously, that doesn't work for mail or web traffic, but it's really
helpful for sshd.

PS: If we've not mentioned it, the pwgen command has many useful


Tim Chase writes:
> I've used a technique that's come to be known as "password
> haystacks" (see link below) which involves simply padding your
> good (or even written shoulder-surfable) password out to a reasonable
> length to make the brute-force cracking all the more complex.
> So say my password is "correct horse battery staple".  I might take
> that and then add 8 periods at the end. Or 10 ampersands.  Or
> alternate dash-equals-dash-equals as many times as you want. Or
> whatever secret character or characters you want and however many of
> them you want.  It's also particularly handy if you have to change
> your password on a regular basis (I usually just change the haystack
> characters).
> Alternatively, if you use a GUI and "keepassx" is accessible in your
> screen-reader, it allows you to generate strong passwords, keep them
> safe behind one master password, keep them hidden from
> shoulder-surfing eyes, and will auto-type them into the last window
> you were in.  This is the solution I use for most passwords (except
> my master passwords, for which I use the haystack method).
> -tim
> _______________________________________________
> Blinux-list mailing list
> Blinux-list at


Janina Sajka,	Phone:	+1.443.300.2200
			sip:janina at
		Email:	janina at

Linux Foundation Fellow
Executive Chair, Accessibility Workgroup:

The World Wide Web Consortium (W3C), Web Accessibility Initiative (WAI)
Chair, Accessible Platform Architectures

More information about the Blinux-list mailing list