On Tue, 2019-06-25 at 11:29 +0200, Bennett Piater wrote: > On 2019-06-25 11:09, Ralf Mardorf via arch-general wrote: > > On Tue, 25 Jun 2019 09:35:53 +0100, Ralph Corderoy wrote: > > > Are you familiar with https://xkcd.com/936/ ? > > > > Too funny, that is the method I described and while I was writing my > > email, you posted that cartoon. However, even this suffers from the > > pitfall, that it is not that easy to use this mnemonic as described by > > the cartoon. > > I use diceware passphrases for my master passwords (login, hardware > encryption, GPG, password manager) and they are much easier to remember > than normal (safe) passwords. Randomly open a dictionary and then randomly pointing on a word, repeating this a few times, is one way for an artist to get an inspiration. I wonder how safe it is to use such a method to generate a passphrase. To remember words, they must be from the languages, the user is able to understand and to write and the amount of the vocabulary must be within the range of the educational background. Six words are just six words out of an assessable vocabulary. "This level of unpredictability assumes that a potential attacker knows that Diceware has been used to generate the passphrase, knows the particular word list used, and knows exactly how many words make up the passphrase." - https://en.wikipedia.org/wiki/Diceware Google already "guesses" that women are pregnant, before the women have got the slightest idea that they are pregnant. To guess that somebody does use Diceware or something similar is not hard to do. You already mentioned this on this mailing list. Probably you are not exactly doing it by exactly the method mentioned by the Wiki, but likely by a similar method. Humans tend to follow patterns, a savant syndrome computer expert probably more, than an averaged user ;). 13 rAnd0.m_C?arS are probably less secure, than 13 random words, because even an illiterate human knows more words, than we have got keys on a keyboard. This is indeed speaking pro Diceware :).
