From 506a097328bc80fad12425f0486a42be89188da9 Mon Sep 17 00:00:00 2001
From: Rob van Son <R.J.J.H.vanSon@gmail.com>
Date: Thu, 14 Jun 2012 15:36:15 +0200
Subject: [PATCH] Documentation CreateUser account

---
 CGIscriptor.html    |  2 +-
 CGIscriptor.pl      |  2 +-
 Private/manual.html | 27 ++++++++++++++++++++++++++-
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/CGIscriptor.html b/CGIscriptor.html
index 9695b86..8fedae0 100644
--- a/CGIscriptor.html
+++ b/CGIscriptor.html
@@ -1683,7 +1683,7 @@ the salts are generated from /dev/urandom. You should check whether the
 implementation of /dev/urandom on your platform is secure before 
 relying on it. This might be a problem when running CGIscriptor under 
 Cygwin on MS Windows.<br />
-<em>Note: not attempt is made to slow down the password hash, so bad
+<em>Note: no attempt is made to slow down the password hash, so bad
 passwords can be cracked by brute force</em>
 </p>
 <p>
diff --git a/CGIscriptor.pl b/CGIscriptor.pl
index cddf43d..7de19a4 100755
--- a/CGIscriptor.pl
+++ b/CGIscriptor.pl
@@ -1874,7 +1874,7 @@ if(grep(/\-\-help/i, @ARGV))
 # implementation of /dev/urandom on your platform is secure before 
 # relying on it. This might be a problem when running CGIscriptor under 
 # Cygwin on MS Windows.
-# Note: not attempt is made to slow down the password hash, so bad
+# Note: no attempt is made to slow down the password hash, so bad
 # passwords can be cracked by brute force
 # 
 # For the authentication and a change of password, the (old) password 
diff --git a/Private/manual.html b/Private/manual.html
index f4b94b9..fc731fc 100644
--- a/Private/manual.html
+++ b/Private/manual.html
@@ -150,7 +150,7 @@ the salts are generated from /dev/urandom. You should check whether the
 implementation of /dev/urandom on your platform is secure before 
 relying on it. This might be a problem when running CGIscriptor under 
 Cygwin on MS Windows.<br />
-<em>Note: not attempt is made to slow down the password hash, so bad
+<em>Note: no attempt is made to slow down the password hash, so bad
 passwords can be cracked by brute force</em>
 </p>
 <p>
@@ -161,5 +161,30 @@ hash function (SHA256) is used to create a one-way hash sum "encryption".
 A new password must be decrypted. New passwords are encryped by XORing 
 them with the old password.
 </p>
+
+<h3 align=CENTER>Strong Passwords: It is so easy</h3>
+<p align=CENTER><em>If you only could see what you are typing</em></p>
+<p >
+Your password might be vulnerable to 
+<a href="https://en.wikipedia.org/wiki/Brute_force_attack">
+<em>brute force</em></a> guessing. Protections against such attacks are 
+costly in terms of code complexity, bugs, and execution time.
+However, there is a very simple and secure counter measure. See the 
+<a href="http://xkcd.com/936/" target="_blank">XKCD comic</a>. The phrase, 
+<em>There is no password like more password</em> would 
+be both much easier to remember, and still stronger than 
+<em>h4]D%@m:49</em>, at least before this phrase was pasted as an example 
+on the Internet.<br />
+Please be so kind and add the name of your favorite flower, dish, or 
+fictional character to your password. Say, <em>Oleander</em>, <em>Curry</em>, 
+or <em>Sherlock</em> (each adds 20 bits or more according to Google Ngram 
+viewer) or even the phrase <em>Sherlock hates curry with oleander</em> 
+(adds ~ 94 bits, note that oleander is <em>poisonous</em>, so do not try 
+this curry at home). That would be more effective than adding a million 
+rounds of encryption. 
+Typing long passwords without seeing what you are typing is problematic. 
+So a button should be included to make password visible. 
+</p>
+
 </body>
 </html>
-- 
2.11.4.GIT