On 18 Dec 2024 11:57 -0600, from j...@sugarbit.com (John Hasler):
>> Surely no one "has perfect knowledge of you"! :-) I'm not even sure I
>> have perfect knowledge of myself, in fact I'm pretty sure I don't!
>
> But which things about you can you be sure no one else has knowledge of?
> Most people seem to think that the name of the dog they had when they
> were 12 is an unguessable secret.
Pretty much. Or the phone number you had at home as a child. Or your
favorite color. Or your mother's maiden name. Or that you have used
Debian since year Y. Or which year your great-grandmother died.
If I generate a Diceware passphrase - let's take one from that page as
an example, "dean unissued mystified comfort everyday chokehold" -
then I can tell you exactly how I generated it and what the inputs
were ("6 words selected at random out of the EFF English long Diceware
word list, separated by single U+0020 space characters") and this
won't really help you, because the search space is still (6^5)^6 or
about 2^77.
On the other hand, someone who knows Karen Lewellen's system for
generating a password has a fairly significant advantage over someone
who doesn't; for example, that the digit group in the middle is highly
likely to be in the range 1..26 (possibly padded to 01..26), the first
letter may or may not be capitalized, and letters other than "I" are
more likely to be lowercase than uppercase. Note that this is just
some of what can be learned from that one password and the description
of the process. And if they can guess or glean a seed sentence, or
even a part of one, then the attacker has a _huge_ advantage. On the
other hand, if someone were to learn that a Diceware passphrase begins
with "dean unissued mystified comfort", then other than perhaps that
this can help narrow down which word list was used, they have no
advantage in guessing the remainder.
--
Michael Kjörling
🔗 https://michael.kjorling.se
