On 17 Dec 2024 23:42 -0500, from klewel...@shellworld.net (Karen Lewellen): > Simply sharing a password method I was taught years ago that works well. > Granted I never allow anything to choose a password for me, not ever. > Instead I create a sentence with aspects of the characters forming the > password. > As an example, I will create one, not in use of course, for the below > sentence. > in 2012 I joined the Debian list. > Again everything above is likely untrue, still it becomes the following. > ItlI#10t4l > [/snip description/]
This method would seem to fail at generating randomness, because it's based on an initial meaningful sentence (keeping in mind that natural language has very low entropy; consider that in your example, "joined" is much more likely in that position than, say, "aardvark", "vibrated" or "swordsman") plus some relatively fixed, predetermined transformations. It also requires you to remember which sentence you used as the seed for which service. That might work for a few services, but does it scale into the hundreds or thousands? Thus xkcd 936 essentially applies. https://xkcd.com/936/ As I note on https://michael.kjorling.se/password-tips/ (constructive criticism most welcome!) "someone who has perfect knowledge of you should not have any advantage in guessing the password". The two main ways of meeting that criteria (which is not the only one, but is the one which is pertinent here) is random out of a character set, and Diceware with words selected at random. The former gives a high degree of security for a given length, and the latter gives good memorability. The work factor of a password or passphrase generated using either method can be objectively quantified. And humans in general are terrible at randomness. -- Michael Kjörling 🔗 https://michael.kjorling.se
