Template:User committed identity/doc: Difference between revisions
→Choosing a good secret string
Line 32:
# Try not to choose a secret string that represents your identity that could go completely out of date. So, for instance, it may be bad to choose a string that specifies ''only'' your telephone number as that number might change.
# If you want to change your secret string, do so, but keep track of all your old secret strings. It is best to reveal all of them if you ever want to confirm your identity, as this will establish that you are the same person who used your account from the first moment the committed identity was published.
# Your secret string should not be short. A dedicated attacker could, by brute force, try short strings until they find your secret string, but if your string is longer that attack would be impractical. If your string is 15 characters long, there are around 10<sup>27</sup> strings of that length, or an [[en:octillion|octillion]] (and that's just counting alphanumeric strings with spaces).
# Your secret string should not only contain an email address, name or phone number, but should contain hard to guess components. "jsmith@hotmail.com" for example may be vulnerable to both [[en:dictionary attack]]s and a search of email addresses, enabling attackers to check 'only' those hundred million names against all published hashed identities, which is computationally much easier than trying to identify a randomly chosen string.
<templatedata>
Line 40:
}
</templatedata>
=== <includeonly>Heading text</includeonly><div class="references-small"> ===
| |||