On Wed 23 Aug 2017 at 10:13:01 -0500, Mario Castelán Castro wrote: > On 22/08/17 17:31, Brian wrote: > > You will now explain why the first one will be broken in the next > > 100 years. I'm past caring after that. > > If you do not care about security, you could generate a single 4 > character bit block with my method and save typing.
One online password checker (not that I understand how it works or even trust it) gives IhaveaMemorablePasswordwhichIwillnotforget! 211.6 bits of entropy and rates it as "very strong" and "overkill". I'd place any discomfort with having to type a long password low down on my list password formation difficulties. Long, with some complexity and memorable goes a long way to securing accounts on a computer or on the web. > >> If the password is not important (for example, account of web forums) > >> then you can use store it in a plain text file or a password manager. > >> Firefox has a built-in password manager which works fine. Here > >> memorability does not matter at all, as you just have to copy and paste, > >> or let the password manager fill it automatically. Anyway, one could not > >> memorize enough passwords for all the things that require one (esp. web > >> sites). > > > > You are digressing. Every password is important. Basing a password on > > the perceived imortance of an account is unwise. What Firefox has is of > > no great consequence when it comes to memorability. > > No, I am not digressing. Not every password is equally important. How > important is the password you use to post in a forum that you will not > visit again? Is it as important as the password of your GNU PG private key? Developing good practice with password management is what is important. If that weak password leads to a compromise of the account then it could end up with a ruined reputation for someone, depending on what happens. An ingrained habit of always creating a good password is a respectable life skill. > > Fine. But where is the improvement over > > > > Willhas5fingerson_each_Jand > > > > as a password? A bit longer to type, perhaps, but not spectacularly so. > > This is just for a block of 24 bits, thus this is a rough equivalent of > 4 characters under my method, which is *much* shorter to type. > > Assuming your mnemonic function is one-to-one (which it is not) you > would need 4 such to achieve the 96 bits of entropy that I recommend. > Then the difference in length is very significant. > > Moreover, since you are suggesting using the mnemonic itself, and the > mnemonic function is not well defined, the entropy is not well defined > either. The same password checker as above gives it the same rating and 132.4 bits of entropy. (Just saying. I'd accept that a checker's way of measuring entropy could be suboptimal. But that is a whole different topic). > ----- > Anyway, I posted this suggestion for those who want a provably (not > “probably”) secure password (up to a certain entropy). I know not > everybody will like my method, and that is fine for me. I actually like your method; its making the outcome of it memorable which I have difficulty with. I have no hesitation in saying the chances of my memorising u19rX2JjTM5salGIYfrO1w is nil. I suppose I could put more effort into forming a mnemonic, but I'd likely forget that too. On the other hand I could write it in my notebook. That's probably the way to go. Then I leave my notebook at home. "Probably" is probably good enough. The probability of either of the two previous passwords being deduced from pure guessing is close to zero. -- Brian.
