Hello, > Correct, horse! Battery staple!
My understanding is that these words in such a passphrase are chosen by a random number generator in a computer. I use such a passphrase; I've let my computer pick words out of a word list based on reading /dev/random; or actually, I'm fairly sure I used GnuPG to generate the randomness. I didn't let it generate four words; I let it generate a few more until some combination of four words emerged that I could somehow memorize. It is not a phrase, it is non-grammatical, it just has something to it that makes it such that I can remember. The amount of entropy each word contains is close to the amount of choice there is in picking a word from the word list; i.e., base-2 log of the number of words in the word list if you express it in bits. > Und allein dieser Mangel und nichts anderes führte zum Tod. This is grammatical. There is a subject (or two), a verb, an.. well whatever those things are like "zum Tod", I don't often discuss grammar in any other language than Dutch so I forgot the technical terms. Furthermore, the phrase actually makes sense semantically. I don't know if somebody ever said or wrote it; that would make it even worse, since a passphrase cracker could try sentences from a corpus of likely texts it has scoured from the internet. It has grammar, it has semantics, it has a proper meaning. All these things go at the expense of its entropy. Whereas a few words that only make enough sense to be memorizable have loads of entropy, as the cartoon expresses. "Memorizability" is not easily quantified when you write a password cracker. It's almost a Turing test in a way. What you want to avoid is that there is a a pattern that a password cracker can look for. Replacing an i with a 1 (one) is a horribly little amount of extra entropy that serves more to make it difficult for you than that one little extra try that a password cracker has to do matters. > i.e. some phrasing which could be memorized better? I don't think I can ever make myself forget Correct horse, battery staple! :) HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
