Excerpts from Simon McVittie's message of 2014-11-09 06:48:46 -0800: > On 09/11/14 14:25, Clint Byrum wrote: > > With that, I have to remember that Nobody is capitalized, and that the > > spaces are replaced by $ and 5. The other approach accepts that we are > > forgetful and so uses spaces. But it also has the weakness that if the > > approach and the separators are suspected, one can very cheaply run a > > dictionary attack before brute forcing random characters (and in fact > > this is what many password cracking tools do). > > It's a trade-off. I didn't say "this is unacceptable because...", I only > asked the question. > > The cost of a dictionary attack goes up exponentially with the number of > bits of entropy in the password or passphrase, which is why I asked how > much entropy this tool has. IMO, the right way to assess the quality of > the passphrases produced by one of these tools is to assume that the > attacker knows which tool you use, and its settings (word list, whether > to use punctuation, etc.), and see how many attempts it would take them > with that knowledge; then compare that with how memorable the results > are. Each bit of entropy doubles the number of possibilities that an > attacker needs to try. > > pwqgen defaults to generating a passphrase with 47 bits of entropy. I > think it primarily includes capitals, punctuation and digits as a > workaround for sites that require passwords to contain these, rather > than as a way to increase entropy: after all, randomly choosing whether > each word has an initial capital only adds 1 bit of entropy per word. > > Diceware[1] is an implementation of a similar algorithm designed to be > used via physical dice rather than a computer's pseudorandom number > generator. It uses 5 die rolls to choose one of 7776 distinct words, and > its author recommends a 6-word passphrase, resulting in about 77.5 bits > of entropy. >
Forgive my response. I seemed to forget everything I learned in the last 5 years about passwords after a trans-atlantic flight. Thanks for reminding me. ;) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1415547127-sup-8...@fewbar.com
