On 2019-06-25 12:11, Ralf Mardorf via arch-general wrote:
Six words are just six words out of an assessable vocabulary.
"This level of unpredictability assumes that a potential attacker knows
that Diceware has been used to generate the passphrase, knows the
particular word list used, and knows exactly how many words make up the
passphrase." - https://en.wikipedia.org/wiki/Diceware
You seem to be misunderstanding that statement.
The minimum entropy is calculated _assuming_ that the attacker knows
that you are using diceware *and* which word list you used.
That is part of the threat model.
Think of it this way: In a normal password, you have an alphabet of ~80
chars and use 10-15 of them.
In diceware, you have an alphabet of >= 8K words and use at least 6 of
them.
So a diceware passphrase of appropriate (word) length has the same
entropy as a password with equivalent (char) length, but the diceware
passphrase is much easier to remember.
