FAQ: How can I generate good strong passwords?

Yeah, it did get kinda garbled didn't it? :-) "at least some of what's"

I've never seen the section on his site about passwords, so I can't comment on it, but then all I'm trying to say is that some of what's on grc.com is perfectly valid.

You just need to tread carefully as you do pretty much anywhere. Everyone has their foibles and weaknesses, heck I've seen far more heavyweight people become quite deranged when it came to, oh, the colour of teacups or endianness or DRM, or whatever.

If you mean

(which I've now taken a look at), I'd be interested to hear your clarification of precisely whyi ts insecure and dumb.

I'm following my own advice you see. :-) Mark McIntyre

You won't get one from John. My experience is that if you disagree with him, he first saturates you with factoids, then heads for outright contradiction without any explanations, then name-calling.

I suspect some of what he has to say is interesting, but frankly his attitude is sufficiently trollish for my auto-kill-filters to suggest him, and I took the hint some time back. Mark McIntyre

: :What goes around comes around. :)

Keep in mind here that I am no Steve Gibson supporter nor do I really read anything on his site. About the only thing I have used or taken from it is the port scanner and that was before I started using nmap and nessus to scan my own ports, but out of the few sites ive read that take shots at him and talk about allot of mis information, I have yet to see any specifics. Is there a place to go check out that will actually point out some specific cases where he was misinforming or misleading people or just flat giving wrong information? Im not on either side but I would like to read and see what all of the fuss is about. Im still trying to find on his site where he proclaims to be a security expert also.

Hi All,

Try this free utility - ViPNet [Password Roulette] - it is a Free password generator, which makes easy-to-remember passwords! Did you see it? You might not use it but I am sure you will have some fun with generated passwords. It is free.

"... The innovation of this software is simple and genius. The passwords are derived from word phrases easy to remember. Often these phrases have a humorous touch facilitating the process of memorizing. The password list can be generated in 3 languages: English, German and Russia. Additionally ViPNet [Password Roulette] can generate random digital passwords ..."

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

Case in point:

Watch him on TV with Leo Laporte.

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

You know it to be safe and secure because ... ?

A basic premise of good security is to take nothing at face value.

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

Because it's only as secure as the trustworthiness of the website, which is completely unknown. Even if GRC is trustworthy (including every last person with access, something impossible to ascertain), you have no way of knowing if the site itself has been compromised. Notwithstanding that, Steve uses lots of wild and misleading hyperbole (as usual):

"Ultra High Security"

"totally random"

"perfect and safe"

"Every one is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again."

"Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this page which was custom generated just now for you will not be cached or visible to anyone else."

"... derived from the highest quality mathematical pseudo-random algorithms known. In other words, these password strings are as random as anything non-random can be."

"Since the passwords used to generate pre-shared keys are configured into the network only once, and do not need to be entered by their users every time, the best practice is to use the longest possible password and never worry about your password security again."

These things are either unknowable or outright false, often self-contradictory, so he's either a charlatan or an idiot, take your pick.

That last part ("never worry about your password security again") sends shudders down my spine.