Re: Bug#768772: ITP: xkcdpass -- secure passphrase generator inspired by XKCD 936
Excerpts from Simon McVittie's message of 2014-11-09 05:25:46 -0800:
> On 09/11/14 08:21, Ben Finney wrote:
> > * Package name : xkcdpass
> ...
> > A flexible and scriptable password generator which generates strong
> > passphrases, inspired by XKCD 936:
>
> Does this have significant advantages over pwqgen, in the passwdqc package?
>
> How many bits of entropy does it typically produce?
>
> Example pwqgen output with default settings:
>
> % pwqgen
> wary$Nobody5leafy
With that, I have to remember that Nobody is capitalized, and that the
spaces are replaced by $ and 5. The other approach accepts that we are
forgetful and so uses spaces. But it also has the weakness that if the
approach and the separators are suspected, one can very cheaply run a
dictionary attack before brute forcing random characters (and in fact
this is what many password cracking tools do). If you add in random
separators and capitalization that does nearly achieve the proclaimed
complexity that the xkcd article was suggesting. So it seems to this
lay-person that pwqgen is a better choice.
Reply to: