Read on Twitter
Reminder to anyone generating random strings to use as passwords : please refrain from using anything else than alphanumeric characters.
If you want more entropy, just make it longer.
Why ?
If you want more entropy, just make it longer.
Why ?
Adding special characters does not bring any extra security compared to making the string longer.
It however brings new categories of problems : escaping special characters in config files / storage medium / transmission medium.
It however brings new categories of problems : escaping special characters in config files / storage medium / transmission medium.
This can happen in very unexpected shapes.
* A crappy rescue web terminal where you can't type your emergency root password
* A yaml config file
* A physical serial console
* Dictating it over the phone
* Typing it on a keyboard layout other than yours
* A crappy rescue web terminal where you can't type your emergency root password
* A yaml config file
* A physical serial console
* Dictating it over the phone
* Typing it on a keyboard layout other than yours
This thread only affects passwords that won't need to be remembered.
For example, service account passwords, or passwords stored in your password manager.
User-rememberable passwords are an entirely different story, cf https://xkcd.com/936/
For example, service account passwords, or passwords stored in your password manager.
User-rememberable passwords are an entirely different story, cf https://xkcd.com/936/
