Re: Bug#768772: ITP: xkcdpass -- secure passphrase generator inspired by XKCD 936
Simon McVittie <smcv@debian.org> writes:
> Does [xkcdpass] have significant advantages over pwqgen, in the
> passwdqc package?
Significant advantages:
* ‘xkcdpass’ provides an implementation of a much-discussed scheme for
strong passphrase generation. (Which is not to say the results are
stronger than all others; only that these are relatively strong.)
I don't know of any other tool implementing the scheme discussed in
XKCD 936.
* The passphrases produced by ‘xkcdpass’ have, compared with other
schemes, excellent properties for accurate human memorisation
(meaningful words with normal spelling, no punctuation) while still
being acceptably strong for many uses.
Since both these are true – the passphrases are strong, and the other
properties are interesting and useful – this IMO makes the tool
sufficiently unique to be included in Debian.
> How many bits of entropy does it typically produce?
The example given at the top of its web page merely reproduces the
four-word example from XKCD 936 (presumably for easy association with
the existing meme). As discussed there, this would be 44 bits of
entropy.
The tool by default produces longer passphrases:
$ xkcdpass
included soundless instruct housecoat arena shove
$ xkcdpass
millionth legume styling traveller fleeting gallon
$ xkcdpass
dumpiness androgyny radii domiciled ribaldry determine
>From a small dictionary of common words, say 2000–3000, a single
randomly-chosen word has about 11 bits (= log₂(2048)) of entropy. So
these passphrases have around 66 bits of entropy.
Given that these passphrases are quite strong *and* have comparatively
superior properties for human memorisation, I think this tool deserves
inclusion in Debian.
--
\ “The process by which banks create money is so simple that the |
`\ mind is repelled.” —John Kenneth Galbraith, _Money: Whence It |
_o__) Came, Where It Went_, 1975 |
Ben Finney
Reply to: