
Welsh Password Generator - DemiGuru
https://welshpassword.wheresalice.info/
======
jacekm
Just 3 words will not make a safe password. People are asking in comments why,
so let me try to offer an explanation.

First of all, we don't know how large is the dictionary. @Symbiote mentioned
132k words, but typically for diceware method (a method where you randomly
select words from a dictionary) only 7776 are used (why so few? because then
it's easier to select the words by rolling an actual dice). Nevertheless,
let's assume 170k for now. Nowadays you can crack 100-500 GH/s (100*10^9) [1]
at home (you need $25000 for the hardware, but let's assume a rich household
;))

So we have (132k^3) / (100 GH/s) = 23000 seconds [2]. That's less than 7
hours!

You could argue that nowadays everyone uses bcrypt, so such speeds are not
possible. The question is: are you really sure that no one uses md5 any
longer?

[1]
[https://gist.github.com/epixoip/ace60d09981be09544fdd3500505...](https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505)

[2]
[https://www.wolframalpha.com/input/?i=%28132000%5E3+hashes%2...](https://www.wolframalpha.com/input/?i=%28132000%5E3+hashes%29+%2F+%28100+GH%2Fs%29)

------
pwinnski
Being difficult to pronounce for English-speakers doesn't make dictionary
words secure!

Fortunately, the web page itself suggests as much, but it's worth reiterating.
Don't use these amusing passwords, please!

~~~
AdmiralAsshat
Realistically, though, how many people do you think have compiled rainbow
tables against a Welsh dictionary?

~~~
pwinnski
It only takes one, and the idea has been floating around twitter for quite a
while, as the linked web page mentions.

~~~
thiagomgd
Javanese then?

------
Symbiote
The Welsh OpenOffice dictionary¹ seems to include 132,000 words.

ln₂(132000) = 17, and there are three words, so 41 bits -- almost as good as
the smaller dictionary but four words of "Correct Horse Battery Staple".

(This is a rough estimate, I haven't looked at the dictionary in detail to see
if there are many very similar words etc.)

[1] [https://extensions.openoffice.org/en/project/gwirydd-
sillafu...](https://extensions.openoffice.org/en/project/gwirydd-sillafu-
cymraeg-welsh-language-spell-checker)

------
LinuxBender
That is a funny and clever site.

I prefer my padding method [1] for greater entropy.

[1] - [https://tinyvpn.org/help/#padding](https://tinyvpn.org/help/#padding)

------
krilly
This is funny but is the opposite of the idea espoused in the
correcthorsebatterystaple xkcd. Welsh words are hard for (most) humans to
remember, but easy for machines to check (since wordlists are publicly
available)

~~~
half-kh-hacker
But surely word lists are publically available for English words too?

~~~
SAI_Peregrinus
Yes. Diceware is one such, the EFF has some improved variants. With 7776 words
you can roll 5 dice and get a number, which becomes a word. log(7776)/log(2) =
~13, so 13 bits of entropy per word chosen. 7 words for 91 bits of entropy
(over the 80-bit absolute minimum for decent security of a key), 10 for 130
bits of entropy (better than 128-bits that lots of people use for AES), 20 for
260 bits (better than 256, enough to resist even batch attacks by enormously
powerful actors).

Of course a 20 random word string is less a "password" or "passphrase" and
more a "passpoem". You only want one or two of those, as master passwords for
a password manager.

------
devtul
I tried to see the Twitter of the creator and it turns out I'm blocked.

