At 10:14 AM -0500 5/2/2000, Rick Smith wrote:
>At 05:05 PM 04/30/2000 -0700, Steve Reid wrote:
>
>>Below is some sample output. The amount of entropy per passphrase should
>>be more than 89 bits, or almost the same as seven Diceware words.
>>However, if you generate N passphrases and pick the one that is easiest
>>to remember then you should subtract log2(N) bits from your entropy
>>estimate (assume an adversary knows how to try passphrases in order of
> >easiest-to-remember to hardest-to-remember).
>
>>1- the optative furore dankly bedevil the sixty-six creamware
>>2- the mouthless clepsydras sweatily abdicated the unfelt Commons
>>3- the talkative admirer cracking endure the declivous Andizhan
>>4- the unrested Atabrine corruptly graving the stateside flatness
> >5- the unvibrant kataplasia valorously reissuing the calcareous Portage
>
>Is it really necessary to protect against an attack that orders the phrases
>according to how easy they are to remember? Clearly, a practical brute
>force attack against the passphrases must be automated. But I don't know of
>an algorithm for assessing the "memorability" of a passphrase. If there
>were, I assume you'd use it to reject less appealing phrases, right?
>
>Rick.
>[EMAIL PROTECTED]
If you give users a choice of, say, 8 passphrases and let them pick
the one they like most, you have lost at most 3 bits of entropy. It
will be hard for attackers to take full advantage of that loss, but
they can take partial advantage with some simple strategies. One
approach to generate "memorable" passphrases would be to rank each
word according to familiarity and generate trial words with a higher
frequency of memorable words. A more sophisticated approach might be
to link each word to other words that follow it naturally.
That said, getting users to actually employ a randomly generated
passphrase is probably worth the small loss in entropy. I am more
troubled by the length of Steve's sample passphrases. The median is
55 characters long, not counting spaces. A 7 word Diceware passphrase
would average 29.4 characters. Here are 3 Diceware passphrases I
just generated, (no editing on my part and, yes, "anent" really is an
English word):
anent qq est qed dint rowdy 20
apex fj teem chert seethe zk dixon
bible cure pro airway hiram nib israel
Given that neither set's examples are all that easy to memorize, I'd
go with less typing; but tastes vary. I expect giving people two
passphrase generation strategies that have equal strength will let
them feel more in control and more willing to follow good security
practices.
Arnold Reinhold
