On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote:
> On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote:
> > > How do you, especially those who admin systems that are always being
> > > hacked at, generate strong passwords that meet the above?  I've
> > > googled and found some ideas but if I use the same method, well, how
> > > many others are using that same method, if you know what I
> > > mean.  ;-)  Just looking for ideas.
> > 
> > You could use a password generator to keep creating random passwords
> > until it comes up with something you like the look of, then learn it by
> > rote. I did that some time ago - it must be about time I did it again
> > to make another one.
> 
> https://xkcd.com/936/

Not strictly true ... the crackers would probably use rainbow tables attacks 
first.  Also, it isn't fair to compare an 11 character passwd against a 25 
character passwd.  For the *same* number of characters used in any given 
passwd, a random lower/upper/numerical/symbol passwd will provide an 
exponentially higher degree of difficulty in cracking it with brute force, 
than one which uses only lower case dictionary words.  Anyway, these days many 
attacks are focused on OS or hardware vulnerabilities which have been baked in 
by design, rather than brute force attacks.

Any financial company worth their salt are employing 2-factor authentication 
and account lockups to stop brute forcing of users credentials.  So, guarding 
against your own OS compromise is more important than individual website 
credentials.

You will be surprised how many people are still using passwds like:

password
password1
arsenal
manchesterunited2018
fido

on websites which store their credit card details.  O_O

You may want to take a look at app-admin/apg and to mitigate against your 
CPU's lack of randomness use sys-apps/haveged.  Combining multiple outputs of 
apg should arrive at a passwd which is more secure than not.

-- 
Regards,
Mick