Mr. Touloumtzis, et al.: Some ideas to increase entropy: 1) Randomizing the location of the number within each word add more entropy? I noticed you consistently placed the number at the beginning of every word 2) Randomizing the capitalization change anything? 3) Random non-alphanumeric characters in random positions of each of the words help? Very Respectfully, Stuart Blake Tener, IT3, USNR-R, N3GWG VTU 1904G (Volunteer Training Unit) stuart@xxxxxxxxxxx west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043 east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859 Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's free!) JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL. Saturday, July 07, 2001 7:58 PM -----Original Message----- From: owner-linux-crypto@xxxxxxxxxxxx [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Mike Touloumtzis Sent: Saturday, July 07, 2001 6:55 PM To: linux-crypto@xxxxxxxxxxxx Subject: Re: Announce loop-AES-v1.3b file crypto package On Sun, Jul 08, 2001 at 10:31:51AM +1000, Stephen Robert Norris wrote: > > It's not a good passphrase. A random 10 character one might well be better! > > I think my general complaint is that people's intuition about what makes > a good passphrase is bad :) Here's an algorithm for choosing a strong pass phrase, in case people are curious for one that's demonstrably pretty strong[1]. Comments and corrections welcome. 1) Copy all words between 5 and 10 characters long from the /usr/share/dict/american-english file in a Debian system. This procedure gives me 35,479 words, or about 15 bits of entropy per word provided they are chosen truly randomly. You might have to localize this procedure to your own system. Just remember entropy == base 2 logarithm of number of choices iff they are truly unpredictable. 2) Select 5 words at random from the list. Use /dev/random or another known good source of entropy. 3) Before each of the words, place a digit from one to eight. Again, these should be chosen at random. 4) Add a space between words (this doesn't contribute entropy but helps readability if you want to write the passphrase down in your completely offline, double-secret hidey-hole, and seems to make the phrase easier for humans to remember--based on informal, empirical testing I have conducted). You'll now have a passphrase something like this: "5tornado 5archiver 1nightcap 8Haifa 7ballad" Such a passphrase has roughly 90 bits of entropy given a known choice of construction algorithm, since each random word choice contributes 15 bits and each random digit (one of eight) contributes 3 bits. The rationale for the numbers is to keep natural language word frequency from coming into play very much, as it might if someone were testing spaced-out English words without knowing your selection algorithm. => Ninety bits puts you well into "they'll break in and bug your keyboard first" territory provided your algorithms and other security factors are good. 5) Don't tell anyone you're using this algorithm. This will add more bits of entropy to your passphrase as a whole, since this passphrase space will become one of many that must be searched. [1] Actually I'm grubbing for few more bits of entropy by not revealing my _actual_ passphrase selection algorithm; this is a variant :-). miket Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
