Re: Bug#768772: ITP: xkcdpass -- secure passphrase generator inspired by XKCD 936
Excerpts from Simon McVittie's message of 2014-11-09 06:48:46 -0800:
> On 09/11/14 14:25, Clint Byrum wrote:
> > With that, I have to remember that Nobody is capitalized, and that the
> > spaces are replaced by $ and 5. The other approach accepts that we are
> > forgetful and so uses spaces. But it also has the weakness that if the
> > approach and the separators are suspected, one can very cheaply run a
> > dictionary attack before brute forcing random characters (and in fact
> > this is what many password cracking tools do).
> It's a trade-off. I didn't say "this is unacceptable because...", I only
> asked the question.
> The cost of a dictionary attack goes up exponentially with the number of
> bits of entropy in the password or passphrase, which is why I asked how
> much entropy this tool has. IMO, the right way to assess the quality of
> the passphrases produced by one of these tools is to assume that the
> attacker knows which tool you use, and its settings (word list, whether
> to use punctuation, etc.), and see how many attempts it would take them
> with that knowledge; then compare that with how memorable the results
> are. Each bit of entropy doubles the number of possibilities that an
> attacker needs to try.
> pwqgen defaults to generating a passphrase with 47 bits of entropy. I
> think it primarily includes capitals, punctuation and digits as a
> workaround for sites that require passwords to contain these, rather
> than as a way to increase entropy: after all, randomly choosing whether
> each word has an initial capital only adds 1 bit of entropy per word.
> Diceware is an implementation of a similar algorithm designed to be
> used via physical dice rather than a computer's pseudorandom number
> generator. It uses 5 die rolls to choose one of 7776 distinct words, and
> its author recommends a 6-word passphrase, resulting in about 77.5 bits
> of entropy.
Forgive my response. I seemed to forget everything I learned in the
last 5 years about passwords after a trans-atlantic flight. Thanks for
reminding me. ;)