Ms. Harris, et al.:
Given such a methodology as described below: we start at 90bits of
entropy, where do we end of if we fully implement this strategy?
As well, where do we end up if we create 5 pass phrases using the
rules below, and each week we rotate from one of the five pass phrases?
Exactly where do we end up?
I am thinking of writing a piece of software (in C) to generate such
passwords, has anyone thought about doing this? To do it I would need to
draw an exact set of rules for the software to follow, can we narrow it down
a bit, so that I can do this?
Very Respectfully,
Stuart Blake Tener, IT3, USNR-R, N3GWG
VTU 1904G (Volunteer Training Unit)
stuart@xxxxxxxxxxx
west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043
east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859
Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's
free!)
JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL.
Sunday, July 08, 2001 1:31 AM
-----Original Message-----
From: owner-linux-crypto@xxxxxxxxxxxx
[mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Sandy Harris
Sent: Saturday, July 07, 2001 9:36 PM
To: linux-crypto@xxxxxxxxxxxx
Subject: Re: Announce loop-AES-v1.3b file crypto package
"IT3 Stuart B. Tener, USNR-R" wrote:
>
> Mr. Touloumtzis, et al.:
>
> Some ideas to increase entropy:
>
> 1) Randomizing the location of the number within each word add more
entropy?
> I noticed you consistently placed the number at the beginning of every
word
An extra 2 to 3 bits per word, but harder to remember.
> 2) Randomizing the capitalization change anything?
One bit per letter, harder to remember.
> 3) Random non-alphanumeric characters in random positions of each of the
> words help?
Quite a lot -- if it's one of 16 characters in one of four positions, that's
6 extra bits per word -- but likely very hard to remember.
> Very Respectfully,
>
> Stuart Blake Tener, IT3, USNR-R, N3GWG
> VTU 1904G (Volunteer Training Unit)
> stuart@xxxxxxxxxxx
> west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043
> east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859
>
> Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's
> free!)
>
> JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL.
>
> Saturday, July 07, 2001 7:58 PM
>
> -----Original Message-----
> From: owner-linux-crypto@xxxxxxxxxxxx
> [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Mike Touloumtzis
> Sent: Saturday, July 07, 2001 6:55 PM
> To: linux-crypto@xxxxxxxxxxxx
> Subject: Re: Announce loop-AES-v1.3b file crypto package
>
> On Sun, Jul 08, 2001 at 10:31:51AM +1000, Stephen Robert Norris wrote:
> >
> > It's not a good passphrase. A random 10 character one might well be
> better!
> >
> > I think my general complaint is that people's intuition about what makes
> > a good passphrase is bad :)
>
> Here's an algorithm for choosing a strong pass phrase,
> in case people are curious for one that's demonstrably
> pretty strong[1]. Comments and corrections welcome.
>
> 1) Copy all words between 5 and 10 characters long
> from the /usr/share/dict/american-english file in a
> Debian system. This procedure gives me 35,479 words,
> or about 15 bits of entropy per word provided they are
> chosen truly randomly.
>
> You might have to localize this procedure to your own
> system. Just remember entropy == base 2 logarithm of
> number of choices iff they are truly unpredictable.
>
> 2) Select 5 words at random from the list. Use /dev/random
> or another known good source of entropy.
>
> 3) Before each of the words, place a digit from one to
> eight. Again, these should be chosen at random.
>
> 4) Add a space between words (this doesn't contribute
> entropy but helps readability if you want to write
> the passphrase down in your completely offline,
> double-secret hidey-hole, and seems to make the phrase
> easier for humans to remember--based on informal,
> empirical testing I have conducted).
>
> You'll now have a passphrase something like this:
>
> "5tornado 5archiver 1nightcap 8Haifa 7ballad"
>
> Such a passphrase has roughly 90 bits of entropy given
> a known choice of construction algorithm, since each
> random word choice contributes 15 bits and each random
> digit (one of eight) contributes 3 bits.
>
> The rationale for the numbers is to keep natural
> language word frequency from coming into play very much,
> as it might if someone were testing spaced-out English
> words without knowing your selection algorithm.
>
> => Ninety bits puts you well into "they'll break in
> and bug your keyboard first" territory provided your
> algorithms and other security factors are good.
>
> 5) Don't tell anyone you're using this algorithm.
> This will add more bits of entropy to your passphrase
> as a whole, since this passphrase space will become
> one of many that must be searched.
>
> [1] Actually I'm grubbing for few more bits of entropy by
> not revealing my _actual_ passphrase selection algorithm;
> this is a variant :-).
>
> miket
>
> Linux-crypto: cryptography in and on the Linux system
> Archive: http://mail.nl.linux.org/linux-crypto/
>
> Linux-crypto: cryptography in and on the Linux system
> Archive: http://mail.nl.linux.org/linux-crypto/
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
