On Sat, Jul 07, 2001 at 09:01:56PM +1000, Stephen Robert Norris wrote: > On Sat, Jul 07, 2001 at 04:48:56AM -0400, Michael H. Warfield wrote: > > On Sat, Jul 07, 2001 at 05:43:28PM +1000, Stephen Robert Norris wrote: > > > > But that still doesn't buy you as much entropy as using a > > > > longer passphrase that is mnemonic and easier to remember. Even if > > > > you ASSUME that you can use totally random characters, that only > > > > approaches 7 bits per character (but can never reach it) and is > > > > still less than the strength of a well formed 20 character mnemonic > > > > pass phrase that's easier to remember. > > > Is this really true? According to Shnier's book, English text has > > > about 1.5 bits of entropy/letter - a random password has about 6, > > > so your passphrase will have to be a good deal longer, even with mis-spelt > > > words... > > Read carefully what I said. I said that "even if you ASSUME > > that you can use totally random characters, that only approaches > > 7 bits". That means that it never reaches it. If you disallow all > > control characters, you lose another "1/2 bit" and a little white > > space, a few fragments more. If you were to ASSUME totally random > > printing characters, then you end up with something slightly less > > 96 characters (95) which is about half way between 6 bits and 7 bits. > > You CAN (in some cases) use control characters in passphrases but not > > in all cases (^A, ^B - probably, ^S, ^Q - I think not :-) ), so that > > only helps a little and gets you a little closer (approaches) to 7. > > The real point is that it's a BAD ASSUMPTION and you can never really > > reach 7 bits, so 6 is more realistic (and is why that's what I used > > in my first message). > I'm not sure what the point of this is - _I_ said it was about 6, so > you're arguing I'm wrong, because it's a bit _higher_? Which supports > the original point. Ok... I think we are both in "violent agreement" on this point. I also stated 6 bits in my original message, so there is where we stand. I wasn't arguing that you were "wrong" on the 6. I had even stated 6 in a previous message and used very specific language on the 7. I was questioning your statement about that being wrong. You weren't clear on what you were objecting to. So I guess I wasn't sure what your point was. > Let's say we get 10 characters at 6 bits/character = 60 bits. > Let's be generous and say it's 2 bits/character for our modified English > phrase - that means we need a 30 character passphrase. Now here is where you are now invalid. The 1.5 bits is for English text and I don't know anyone who is arguing for English text. My argument was to use a mnemonic passphrase comprising mispellings, numerical substitutions (oh, I left out odd ball capitalizations) and strange punctuation. That does NOT relate to 1.5 bits nor even for 2 bits. In fact, it should be well over 3 bits of entropy and still be mnemonic in nature. The "break even" point would be at effective 3 bits per character and then the advantage still remains that it is mnemonic for the user. I'm rather good at coming up with passphrases that John the Ripper and Crack and L0phCrack have consistantly failed to break, but they are all still mnemonic (and long). In many cases, they are not even mnemonic to recite but are mnemonic to type (touch typing patterns) and that's a whole 'nother ball of wax. > I guess my point is that saying it has to be at least 20 characters > is meaningless; I can come up with 10 character passwords that > have vastly more entropy than a 20 character English passphrase > (60 vs 30 bits). But we are not talking about a plain English TEXT passphrase. You are misapplying the reference of 1.5 bits per character in English text to something that is only mnemonically related to it. That is what's inappropriate here. Since there is not a real good measure for what would be a mnemonic passphrase which is not plain text English, I'm not even sure how to approach the statistical modeling necessary to come up with a good figure for the entropy in non-plain-text-english mnemonic passphrases, but I will venture this as a guess... For every plaintext passphrases, there must exists a large number of related, non-plain-text passphrases which can be related through transposition, substitution, distortion, and other mechanisms. It's only necessary to devise one alternative passphrase option for each character position to increase the effective entropy by one bit. You can achieve this by a random mix of capitalizations alone (you just have to remember the sequence of capitals on your pass phrase). That takes us to 2.5 bits there alone. Four alternatives per character would yield two additional bits. Substituting numbers and punctuation into the plain text English accomplishes that. This is all within the realm of possibility (although some combinations of those distortions would become a reach). The mnemonic remains and the distortions are merely perterbations on the mnemonic. > It seems that the 20 is really an arbitrary number that just happens to > suit the way _some people_ like to chose passphrases... Actually, I think that what was being argued was that 10 was insufficient. The original poster was not asking if 20 was sufficient, he was asking if 10 wasn't sufficient. IMHO... 10 is not sufficient. The discussion is not over 20, it's over 10. Whether 20 is sufficient or not, depends on your use, but it's better than 10. Arguing that 10 characters is insufficient is NOT arguing that 20 is sufficient. 20 might be, with decent complexity checkers and it might not be if it were a clear plaintext passphrase. It might be total overkill if you are diciplined and have a good enough memory for high entropy shorter passwords. Certainly 60 bits (10 characters * 6 bits) is not safe from brute force attacks unless it is protected by other mechanisms. Ppdd wants TWO 24 character passphrases (48 characters or more total). Is that sufficient? Probably, in most cases. :-) Is it better than 20? Yeah, I think so, maybe... Does it have any bearing what so ever on whether or not 10 characters is insufficient? No. The argument was over the sufficiency of 10 characters. Long term, non-volitile, crypto protected by only 60 bits worth of "key" is subject to being brute force attacked given sufficient time, equipment, and incentive on the part of the attacker. You really REALLY want to protect it? You don't use 60 bits. > Stephen > -- > Stephen Norris srn@xxxxxxxxx > Farrow Norris Pty Ltd +61 417 243 239 Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
