Re: One-line password generator
On Wed 23 Aug 2017 at 12:58:19 -0500, Mario Castelán Castro wrote:
> On 23/08/17 11:57, Brian wrote:
> >> If you do not care about security, you could generate a single 4
> >> character bit block with my method and save typing.
> >
> > One online password checker (not that I understand how it works or even
> > trust it) gives
> >
> > IhaveaMemorablePasswordwhichIwillnotforget!
> >
> > 211.6 bits of entropy and rates it as "very strong" and "overkill". I'd
> > place any discomfort with having to type a long password low down on my
> > list password formation difficulties. Long, with some complexity and
> > memorable goes a long way to securing accounts on a computer or on the
> > web.
>
> Entropy is just another way of expressing probability. More
> specifically, entropy in bits is the logarithm in base 1/2 of the
> probability.
>
> It only makes sense to speak of probability (or equivalently, entropy)
> when there is a clearly defined probability distribution.
>
> The kind of passwords that you suggest are generated combining fragments
> of your knowledge in an ad-hoc way. Thus although we could *speak* of
> the probability distribution of your method, as applied by you, the
> actual probabilities are unknowable.
>
> The relevant probability distribution for password strength is the one
> that the attacker will assume. The online password checker has no way to
> know this, therefore the figures it gives are utter bullshit. Not only
> you should not trust it, you should ignore it completely.
>
> With my method, the probability distribution is well defined: Each
> character is chosen independently and uniformly distributed from a set
> of 64, thus it has 6 bits of entropy.
To make progress. we should go along with that.
> >> No, I am not digressing. Not every password is equally important. How
> >> important is the password you use to post in a forum that you will not
> >> visit again? Is it as important as the password of your GNU PG private key?
> >
> > Developing good practice with password management is what is important.
> > If that weak password leads to a compromise of the account then it could
> > end up with a ruined reputation for someone, depending on what happens.
> > An ingrained habit of always creating a good password is a respectable
> > life skill.
>
> It is very ironic that you are now talking about the importance of
> strong passwords, while at the same time you advocate a non-well-defined
> method for password generation that probably gives weak passwords.
>
> As for the scenario where the password is compromised and that leads to
> somebody posting slander in one behalf, that can happen without any need
> for password cracking. Anybody can create a profile in a social network
> pretending to be you with the intention to taint your reputation.
>
> Hence that only your reputation as perceived by stupid people would
> suffer from such an attack.
A slander coming from your own (compromised) account is somewhat
different from one posted from a created account. It is a lot harder
to deny one but not the other.
> > I actually like your method; its making the outcome of it memorable
> > which I have difficulty with. I have no hesitation in saying the chances
> > of my memorising
> >
> > u19rX2JjTM5salGIYfrO1w
> >
> > is nil. I suppose I could put more effort into forming a mnemonic, but
> > I'd likely forget that too. On the other hand I could write it in my
> > notebook. That's probably the way to go. Then I leave my notebook at
> > home.
>
> I acknowledge that devising a mnemonic for the whole password in a
> single run is nor practical. Hence that my suggestion (which I already
> described in a previous message) is that if you need to memorize it
> instead of storing it in a password manager then you generate and
> memorize it by chunks of 4 characters.
I am happy with that.
> > "Probably" is probably good enough. The probability of either of the two
> > previous passwords being deduced from pure guessing is close to zero.
>
> It is not human guessing, but brute force attacks with specialized
> hardware what you should try to protect against.
It is all "human guessing". Think about it. Machines do not guess by
themselves. Not yet anyway!
Two passwords:
IhaveaMemorablePasswordwhichIwillnotforget!
MyDogHasNoNose.HowDoesItSmell?Terrible!
Please would you give your opinion of how long it would take to brute
force these over the network.
(I do not understand "specialized hardware" when it is network attacks.)
--
Brian.
Reply to: