Password strength

[Rob Seastrom]

kf4hcw <kf4hcw at lifeatwarp9.com> writes:

> On 2014-10-20 20:15, Richard O'Neill wrote:
>
>
>                On 10/20/2014 7:59 PM, Mark Whittington wrote:
>      
>
>
>                     Honestly you're better using a passphrase,
>           something like "I eat Caesar salads on Thursdays only."
>
>            How about, "The quick brown fox jumps over the lazy dog"? I
>      can remember that. ;-)
>      
>
>
> Phrases are better -- because they are longer and easier to remember (less
> likely to be copied somewhere accessible), however if your phrases use
> ordinary words then a dictionary can be used to reduce the complexity of the
> password dramatically.

Dramatically, yes, but not consequentially if the phrase length is
adequate.

If one limited oneself to the PGP biometric word list (a dictionary of
256 words, or 8 bits per word), a 16 word passphrase would give you
128 bits of entropy.

If one limited oneself to the Diceware dictionary, one would get
almost 13 bits of entropy per word (7776 words in the dictionary), so
a 10 word passphrase would give you 128 bits of entropy.

How big is 128 bits?  At a trillion tries per second, it would take
5.4 x 10^18 years to have a 50% chance of hitting it.

People's tendency to use actual English phrases lowers the amount of
entropy by a substantial amount.  How substantial?  Might be trillions
or quadrillions of years worth...  which would be startling, but in
the end, inconsequential.

> Simple substitutions for some letters can help a lot --
> like using a zero where an 'o' might be, but be advised that those too are
> well known to cracking programs.

l33tsp3ak does not help and is good only for a false sense of
security.  It is not 1993.

> A better solution is to get a good, strongly encrypted password manager. (I
> like KeePass).
> Make your master password a phrase with a few substitutions or punctuation
> marks. (I combine phrases from jokes, movies, and other interesting memories).
> Your master password gets you into your password manager. Your password
> manager creates cryptographically strong passwords for everything else and
> then remembers them. Not only are my passwords strong -- I never see them and
> couldn't remember them if I did.

How do you know that they're strong?  Can you set a minimum length?

I'll admit to being old school and using PGP encrypted files (you can
handle PGP from inside emacs so there's never an intermediate file
hanging around).

> One other important trick --- avoid saving your passwords in your web
> browser. Don't let it remember your passwords. If you do get 0wn3d by an
> attacker they will dig all of your passwords out of your browser before you
> even know they are there.

This is sound advice.

-r