Apologies in advance if this is too off-topic (pass phrases, not postfix). On Mon, Feb 13, 2023 at 11:22:24PM +0000, Allen Coates <znab...@cidercounty.org.uk> wrote:
> On 13/02/2023 22:43, raf wrote: > > And for diceware style passphrases to be meaningful, > > it's important that none of the words are "picked" by a > > human. They must be random. Then, it doesn't matter if > > they are common words or not. > A human can throw in a misspelt or foreign-language word. Probably > optimum if (s)he doctors a truly random selection. True, but it sounds manual. The best solution should just happen. Randomness is crucial. Any manual contribution is not random. > Also, don't forget numbers and special characters etc. I think a > human would need to add those, too. Yes, but only if fewer words were chosen (e.g., four). And of course, many websites insist on digits and/or special/punctuation characters (and some don't accept spaces as special/punctuation) even if the passphase is 50 characters in length, so manual nonsense is generally required. But it's not required for security. It's required by websites implemented by people that don't get it (sufficiently). > It occurs to me that, once "the enemy" gets past dictionary searches, > they won't know the actual password length. They > would have to explore random character sequences of EVERY length - and > not just that of YOUR password... That's right. That's why length is really the most important thing. If you have a 50 character pass phrase, it doesn't matter what it is. EXCEPT, please don't use a quote from literature (even manga! or twitter!) - ever. > Allen C Yes, the entropy I quoted assumes that the attacker knows exactly which dictionary was used. If that prior knowledge doesn't exist, then the apparent entropy (is that a thing?) would be much higher (I assume, but I know nothing). The short bit of advice is "the longer, the better". If a password is 20 characters in length, it's fairly safe. If it's 50 characters in length, it's awesome. cheers, raf
