> Here's an algorithm for choosing a strong pass phrase, > in case people are curious for one that's demonstrably > pretty strong[1]. Comments and corrections welcome. > > 1) Copy all words between 5 and 10 characters long > from the /usr/share/dict/american-english file in a > Debian system. This procedure gives me 35,479 words, > or about 15 bits of entropy per word provided they are > chosen truly randomly. > > You might have to localize this procedure to your own > system. Just remember entropy == base 2 logarithm of > number of choices iff they are truly unpredictable. > > 2) Select 5 words at random from the list. Use /dev/random > or another known good source of entropy. > > 3) Before each of the words, place a digit from one to > eight. Again, these should be chosen at random. > > 4) Add a space between words (this doesn't contribute > entropy but helps readability if you want to write > the passphrase down in your completely offline, > double-secret hidey-hole, and seems to make the phrase > easier for humans to remember--based on informal, > empirical testing I have conducted). > > You'll now have a passphrase something like this: > > "5tornado 5archiver 1nightcap 8Haifa 7ballad" > > Such a passphrase has roughly 90 bits of entropy given > a known choice of construction algorithm, since each > random word choice contributes 15 bits and each random > digit (one of eight) contributes 3 bits. > > The rationale for the numbers is to keep natural > language word frequency from coming into play very much, > as it might if someone were testing spaced-out English > words without knowing your selection algorithm. > > => Ninety bits puts you well into "they'll break in > and bug your keyboard first" territory provided your > algorithms and other security factors are good. > > 5) Don't tell anyone you're using this algorithm. > This will add more bits of entropy to your passphrase > as a whole, since this passphrase space will become > one of many that must be searched. > > [1] Actually I'm grubbing for few more bits of entropy by > not revealing my _actual_ passphrase selection algorithm; > this is a variant :-). > what do you think about my new method? 1) take a piece of paper and a pencil 2) write down 30 or 40 random characters of a-z and 0-9 using your brain as a random character generator, i think thats the best and cheapest one you can get ;) you can also try using upper- and lowercase characters, maybe you'll be able to learn them too.....but 30 characters of a-z and 0-9 are already 180 bits which should be enough for AES128, right? 3) divide your new passphrase into parts of 5 characters which makes it easy for you to memorize each part as a 'word', you can also use more characters per part if your memory is better but you have to learn each part as a 'word' otherwise its harder to learn it 4) while you are learning the passphrase, hide the piece of paper somewhere where nobody will find it, shouldn't be difficult for some days 5) after you've learned it, destroy the paper and flush it down the toilet 6) repeat your passphrase every day even after learning it so you won't forget it! i think thats definitely the best method as i just found out that its quite easy to learn 30 random characters ;) Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
