On Fri, Jul 06, 2001 at 10:03:32PM -0400, Michael H. Warfield wrote: > On Sat, Jul 07, 2001 at 03:41:13AM +0200, peter k. wrote: > > > > > i saw that in the readme: "Password string has a minimum length of 20 > > > > characters." > > > > aren't 10 byte passwords enough? i dont like having to learn 20 byte > > > > passwords =( > > > > No, 10 byte passwords are NOT enough. Given that they are > > > printable ascii characters and subject to a variety of other entropy > > > reducing issues, a password "byte" is probably only worth about 6 > > > bits of entropy, maybe (probably) less. That gives you only about > > > 60 bits of strength against brute force. Not enough... > > > > Rule of thumb... (although all "rules of thumb are bad since > > > they lead to guessible patterns.) Pass WORD is bad. Pass PHRASE is > > > better. Make it several words with number substitutions and odd > > > punctuation. Make at LEAST one word misspelled, especially if the > > > mispelling is one of the numbers. (Example: Wizard -> W122@xx!). > > > The sillier (or obnoxious, or obscene) the better (easier to remember, > > > harder to guess). Basic mnemonics. You won't forget and > > > 1t_wi11-b3=@xxxxxxx)H! t0 gu3ss..! (it will be a bitch to guess) :-) > > > well, im usually using passwords like "4wj8s06bj2" or "7e1t91436g", not any > > english or whatever words!! > > so if i would have to learn a 20 byte password in that format it would be > > like "v1872cqad730lbsq53i8" or "0v7g25y0mp49n26yrntb" and learning that isnt > > easy, is it? ;) > > But that still doesn't buy you as much entropy as using a > longer passphrase that is mnemonic and easier to remember. Even if > you ASSUME that you can use totally random characters, that only > approaches 7 bits per character (but can never reach it) and is > still less than the strength of a well formed 20 character mnemonic > pass phrase that's easier to remember. Is this really true? According to Shnier's book, English text has about 1.5 bits of entropy/letter - a random password has about 6, so your passphrase will have to be a good deal longer, even with mis-spelt words... Mind you, I always use pass phrases when I can - but I whack in random digits & punctuation to keep it interesting... Stephen -- Stephen Norris srn@xxxxxxxxx Farrow Norris Pty Ltd +61 417 243 239
Attachment:
pgp00058.pgp
Description: PGP signature
