On Wed 23 Aug 2017 at 12:58:19 -0500, Mario Castelán Castro wrote: > On 23/08/17 11:57, Brian wrote: > >> If you do not care about security, you could generate a single 4 > >> character bit block with my method and save typing. > > > > One online password checker (not that I understand how it works or even > > trust it) gives > > > > IhaveaMemorablePasswordwhichIwillnotforget! > > > > 211.6 bits of entropy and rates it as "very strong" and "overkill". I'd > > place any discomfort with having to type a long password low down on my > > list password formation difficulties. Long, with some complexity and > > memorable goes a long way to securing accounts on a computer or on the > > web. > > Entropy is just another way of expressing probability. More > specifically, entropy in bits is the logarithm in base 1/2 of the > probability. > > It only makes sense to speak of probability (or equivalently, entropy) > when there is a clearly defined probability distribution. > > The kind of passwords that you suggest are generated combining fragments > of your knowledge in an ad-hoc way. Thus although we could *speak* of > the probability distribution of your method, as applied by you, the > actual probabilities are unknowable. > > The relevant probability distribution for password strength is the one > that the attacker will assume. The online password checker has no way to > know this, therefore the figures it gives are utter bullshit. Not only > you should not trust it, you should ignore it completely. > > With my method, the probability distribution is well defined: Each > character is chosen independently and uniformly distributed from a set > of 64, thus it has 6 bits of entropy.
To make progress. we should go along with that. > >> No, I am not digressing. Not every password is equally important. How > >> important is the password you use to post in a forum that you will not > >> visit again? Is it as important as the password of your GNU PG private key? > > > > Developing good practice with password management is what is important. > > If that weak password leads to a compromise of the account then it could > > end up with a ruined reputation for someone, depending on what happens. > > An ingrained habit of always creating a good password is a respectable > > life skill. > > It is very ironic that you are now talking about the importance of > strong passwords, while at the same time you advocate a non-well-defined > method for password generation that probably gives weak passwords. > > As for the scenario where the password is compromised and that leads to > somebody posting slander in one behalf, that can happen without any need > for password cracking. Anybody can create a profile in a social network > pretending to be you with the intention to taint your reputation. > > Hence that only your reputation as perceived by stupid people would > suffer from such an attack. A slander coming from your own (compromised) account is somewhat different from one posted from a created account. It is a lot harder to deny one but not the other. > > I actually like your method; its making the outcome of it memorable > > which I have difficulty with. I have no hesitation in saying the chances > > of my memorising > > > > u19rX2JjTM5salGIYfrO1w > > > > is nil. I suppose I could put more effort into forming a mnemonic, but > > I'd likely forget that too. On the other hand I could write it in my > > notebook. That's probably the way to go. Then I leave my notebook at > > home. > > I acknowledge that devising a mnemonic for the whole password in a > single run is nor practical. Hence that my suggestion (which I already > described in a previous message) is that if you need to memorize it > instead of storing it in a password manager then you generate and > memorize it by chunks of 4 characters. I am happy with that. > > "Probably" is probably good enough. The probability of either of the two > > previous passwords being deduced from pure guessing is close to zero. > > It is not human guessing, but brute force attacks with specialized > hardware what you should try to protect against. It is all "human guessing". Think about it. Machines do not guess by themselves. Not yet anyway! Two passwords: IhaveaMemorablePasswordwhichIwillnotforget! MyDogHasNoNose.HowDoesItSmell?Terrible! Please would you give your opinion of how long it would take to brute force these over the network. (I do not understand "specialized hardware" when it is network attacks.) -- Brian.
