"IT3 Stuart B. Tener, USNR-R" wrote: > > Mr. Touloumtzis, et al.: > > Some ideas to increase entropy: > > 1) Randomizing the location of the number within each word add more entropy? > I noticed you consistently placed the number at the beginning of every word An extra 2 to 3 bits per word, but harder to remember. > 2) Randomizing the capitalization change anything? One bit per letter, harder to remember. > 3) Random non-alphanumeric characters in random positions of each of the > words help? Quite a lot -- if it's one of 16 characters in one of four positions, that's 6 extra bits per word -- but likely very hard to remember. > Very Respectfully, > > Stuart Blake Tener, IT3, USNR-R, N3GWG > VTU 1904G (Volunteer Training Unit) > stuart@xxxxxxxxxxx > west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043 > east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859 > > Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's > free!) > > JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL. > > Saturday, July 07, 2001 7:58 PM > > -----Original Message----- > From: owner-linux-crypto@xxxxxxxxxxxx > [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Mike Touloumtzis > Sent: Saturday, July 07, 2001 6:55 PM > To: linux-crypto@xxxxxxxxxxxx > Subject: Re: Announce loop-AES-v1.3b file crypto package > > On Sun, Jul 08, 2001 at 10:31:51AM +1000, Stephen Robert Norris wrote: > > > > It's not a good passphrase. A random 10 character one might well be > better! > > > > I think my general complaint is that people's intuition about what makes > > a good passphrase is bad :) > > Here's an algorithm for choosing a strong pass phrase, > in case people are curious for one that's demonstrably > pretty strong[1]. Comments and corrections welcome. > > 1) Copy all words between 5 and 10 characters long > from the /usr/share/dict/american-english file in a > Debian system. This procedure gives me 35,479 words, > or about 15 bits of entropy per word provided they are > chosen truly randomly. > > You might have to localize this procedure to your own > system. Just remember entropy == base 2 logarithm of > number of choices iff they are truly unpredictable. > > 2) Select 5 words at random from the list. Use /dev/random > or another known good source of entropy. > > 3) Before each of the words, place a digit from one to > eight. Again, these should be chosen at random. > > 4) Add a space between words (this doesn't contribute > entropy but helps readability if you want to write > the passphrase down in your completely offline, > double-secret hidey-hole, and seems to make the phrase > easier for humans to remember--based on informal, > empirical testing I have conducted). > > You'll now have a passphrase something like this: > > "5tornado 5archiver 1nightcap 8Haifa 7ballad" > > Such a passphrase has roughly 90 bits of entropy given > a known choice of construction algorithm, since each > random word choice contributes 15 bits and each random > digit (one of eight) contributes 3 bits. > > The rationale for the numbers is to keep natural > language word frequency from coming into play very much, > as it might if someone were testing spaced-out English > words without knowing your selection algorithm. > > => Ninety bits puts you well into "they'll break in > and bug your keyboard first" territory provided your > algorithms and other security factors are good. > > 5) Don't tell anyone you're using this algorithm. > This will add more bits of entropy to your passphrase > as a whole, since this passphrase space will become > one of many that must be searched. > > [1] Actually I'm grubbing for few more bits of entropy by > not revealing my _actual_ passphrase selection algorithm; > this is a variant :-). > > miket > > Linux-crypto: cryptography in and on the Linux system > Archive: http://mail.nl.linux.org/linux-crypto/ > > Linux-crypto: cryptography in and on the Linux system > Archive: http://mail.nl.linux.org/linux-crypto/ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
