[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Preseeded setting on openssh-server ignored

On Tue, 17 Jun 2014 22:00:49 -0400
Jerry Stuckle <jstuckle@attglobal.net> wrote:

> On 6/17/2014 7:41 PM, Celejar wrote:
> > On Sat, 14 Jun 2014 22:32:16 -0400
> > Jerry Stuckle <jstuckle@attglobal.net> wrote:
> > 
> >> On 6/14/2014 2:06 PM, Patrick Chkoreff wrote:
> > 
> > ...
> > 
> >>> Here's a way to generate a *truly* random password that is *also* memorable:
> >>>
> >>> http://diceware.com
> >>>
> >>> Instead of using your computer to generate allegedly random bits, you
> >>> use five six-sided dice to generate truly random bits.
> >>>
> >>>
> >>> -- Patrick
> >>>
> >>>
> >>
> >> Not good at all.  With 5 dice, you have 6^5 or 7,776 possible
> >> combinations.  Just figuring 5 upper and lower case characters and
> >> numbers, you have 62^5 or 916,132,832 (more if you add special
> >> characters).  Even a 3 alphanumeric (upper and lower) case character
> >> password has 238,328 possible combinations.
> >>
> >> I wouldn't even consider this a weak password.  It's much worse than
> >> that.  The fact you can have combinations of words doesn't add that much
> >> security, especially if someone thinks you're using the diceware list.
> > 
> > I think there's a miscommunication here; the diceware instructions are
> > to use five dice *per word*, and recommend either five or six words as
> > a minimum:
> > 
> > http://world.std.com/~reinhold/diceware.html
> > http://world.std.com/~reinhold/dicewarefaq.html#howlong
> > 
> > Celejar
> > 
> > 
> 
> Yes, I understand.  But a roll of five dice is less secure than a three
> character alphanumeric (upper and lower case) password (7,776 vs.
> 238,328 combinations).  A 6 word password would have approximately the
> same security as a 13 character alphanumeric password.

Understood. I think the point of diceware, though, is that it generates
passphrases with at least a fair bit of entropy and that are still
relatively easy to remember, as per the celebrated xkcd:

http://xkcd.com/936/

Of course, your *genuinely* random 13 character password will be just
as good, but likely harder to remember.

> But then you have to type 30-40 characters or so to enter the diceware
> password; very few (if any) sites will accept a password that long.  The
> longest I know of is around 20 characters (my bank).
> 
> That severely limits the number of combinations you can get with dice.

True. I think they're mainly useful for local system passphrases, such
as GPG and LUKS keys.

> Jerry

Celejar
Reply to: