On Sat, Jul 07, 2001 at 04:48:56AM -0400, Michael H. Warfield wrote: > On Sat, Jul 07, 2001 at 05:43:28PM +1000, Stephen Robert Norris wrote: > > > But that still doesn't buy you as much entropy as using a > > > longer passphrase that is mnemonic and easier to remember. Even if > > > you ASSUME that you can use totally random characters, that only > > > approaches 7 bits per character (but can never reach it) and is > > > still less than the strength of a well formed 20 character mnemonic > > > pass phrase that's easier to remember. > > > Is this really true? According to Shnier's book, English text has > > about 1.5 bits of entropy/letter - a random password has about 6, > > so your passphrase will have to be a good deal longer, even with mis-spelt > > words... > > Read carefully what I said. I said that "even if you ASSUME > that you can use totally random characters, that only approaches > 7 bits". That means that it never reaches it. If you disallow all > control characters, you lose another "1/2 bit" and a little white > space, a few fragments more. If you were to ASSUME totally random > printing characters, then you end up with something slightly less > 96 characters (95) which is about half way between 6 bits and 7 bits. > You CAN (in some cases) use control characters in passphrases but not > in all cases (^A, ^B - probably, ^S, ^Q - I think not :-) ), so that > only helps a little and gets you a little closer (approaches) to 7. > The real point is that it's a BAD ASSUMPTION and you can never really > reach 7 bits, so 6 is more realistic (and is why that's what I used > in my first message). I'm not sure what the point of this is - _I_ said it was about 6, so you're arguing I'm wrong, because it's a bit _higher_? Which supports the original point. Let's say we get 10 characters at 6 bits/character = 60 bits. Let's be generous and say it's 2 bits/character for our modified English phrase - that means we need a 30 character passphrase. I guess my point is that saying it has to be at least 20 characters is meaningless; I can come up with 10 character passwords that have vastly more entropy than a 20 character English passphrase (60 vs 30 bits). It seems that the 20 is really an arbitrary number that just happens to suit the way _some people_ like to chose passphrases... Stephen -- Stephen Norris srn@xxxxxxxxx Farrow Norris Pty Ltd +61 417 243 239
Attachment:
pgp00059.pgp
Description: PGP signature
