On Sat, Jul 07, 2001 at 05:43:28PM +1000, Stephen Robert Norris wrote: > On Fri, Jul 06, 2001 at 10:03:32PM -0400, Michael H. Warfield wrote: > > On Sat, Jul 07, 2001 at 03:41:13AM +0200, peter k. wrote: > > > > > > > i saw that in the readme: "Password string has a minimum length of 20 > > > > > characters." > > > > > aren't 10 byte passwords enough? i dont like having to learn 20 byte > > > > > passwords =( > > > > > > No, 10 byte passwords are NOT enough. Given that they are > > > > printable ascii characters and subject to a variety of other entropy > > > > reducing issues, a password "byte" is probably only worth about 6 > > > > bits of entropy, maybe (probably) less. That gives you only about > > > > 60 bits of strength against brute force. Not enough... > > > > > > Rule of thumb... (although all "rules of thumb are bad since > > > > they lead to guessible patterns.) Pass WORD is bad. Pass PHRASE is > > > > better. Make it several words with number substitutions and odd > > > > punctuation. Make at LEAST one word misspelled, especially if the > > > > mispelling is one of the numbers. (Example: Wizard -> W122@xx!). > > > > The sillier (or obnoxious, or obscene) the better (easier to remember, > > > > harder to guess). Basic mnemonics. You won't forget and > > > > 1t_wi11-b3=@xxxxxxx)H! t0 gu3ss..! (it will be a bitch to guess) :-) > > > > > well, im usually using passwords like "4wj8s06bj2" or "7e1t91436g", not any > > > english or whatever words!! > > > so if i would have to learn a 20 byte password in that format it would be > > > like "v1872cqad730lbsq53i8" or "0v7g25y0mp49n26yrntb" and learning that isnt > > > easy, is it? ;) > > > > But that still doesn't buy you as much entropy as using a > > longer passphrase that is mnemonic and easier to remember. Even if > > you ASSUME that you can use totally random characters, that only > > approaches 7 bits per character (but can never reach it) and is > > still less than the strength of a well formed 20 character mnemonic > > pass phrase that's easier to remember. > Is this really true? According to Shnier's book, English text has > about 1.5 bits of entropy/letter - a random password has about 6, > so your passphrase will have to be a good deal longer, even with mis-spelt > words... Read carefully what I said. I said that "even if you ASSUME that you can use totally random characters, that only approaches 7 bits". That means that it never reaches it. If you disallow all control characters, you lose another "1/2 bit" and a little white space, a few fragments more. If you were to ASSUME totally random printing characters, then you end up with something slightly less 96 characters (95) which is about half way between 6 bits and 7 bits. You CAN (in some cases) use control characters in passphrases but not in all cases (^A, ^B - probably, ^S, ^Q - I think not :-) ), so that only helps a little and gets you a little closer (approaches) to 7. The real point is that it's a BAD ASSUMPTION and you can never really reach 7 bits, so 6 is more realistic (and is why that's what I used in my first message). > Mind you, I always use pass phrases when I can - but I whack in random > digits & punctuation to keep it interesting... Second part of the statement "is still less than the strength of a 20 character mnemonic pass phrase" you have to go back to my earlier message. I also said to use misspelling and odd numbers and punctuation, so that's not "English text". So it sounds like we are in strong agreement here. So what's the "Is this really true" question? > Stephen > -- > Stephen Norris srn@xxxxxxxxx > Farrow Norris Pty Ltd +61 417 243 239 Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
