One way I like to remember long yet high-entropy passwords is to memorise a long, somewhat nonsensical phrase and use characters from it. The reverse is also possible. E.g. that one could become "Gordon Freeman joins 27 electric fences 8% kills $39"
Am I just paranoid?
 RNNs can learn the distribution of your grammar easily http://karpathy.github.io/2015/05/21/rnn-effectiveness/. The worry is that human generators will condition their random words too much. e.g., "correct" ooohh brain just did a adjective let's throw it a noun next "horse".
>There are some obscure words in both lists. If you passphrase includes a word you don't know, look it up in a good dictionary. Learning the word's meaning will aid you memory and your vocabulary.
Of course there's exceptions when you should start from scratch.
>Because some words on the diceware list are two characters or less, you can get a very short passphrase. If your passphrase, including the spaces between the words, is less than 17 characters long, we recommend that you start over and create a new passphrase. You should also start over if your passphrase is a recognizable English sentence or phrase. (These situations are extremely rare.)
(If it were me I'd just keep adding more and more words if my password was 17 chars or less)
Rerolling 32 times loses 5 bits of security... not a big deal.
5 bits is a significant part of 50 bits. Alternatively, it matters whether an attack takes a month or 2.67 years.
If you prefer to use a dice, that's fine, but you're going to bet less than two bits of entropy per roll. Enjoy rolling your dice more than 70 times to get 128 bits of entropy. ;)
I have a feeling that a "phrase" password has significantly more entropy than a "character" password of double or even triple the length (comparing a word equal to a character length wise).
Even taking into account that a real sentence would need to follow a lot of rules, there are still a LOT of adjectives , a LOT of nouns, etc... I'm sure your "meat based" generator is more open to targeted attacks if someone knows your interests or something, but I have a feeling that it's still such a large pool that it's safe.
And if you start to include somewhat nonsensical phrases like "correct horse battery staple" that even opens things up more.
Include other things like spacing, capitalization, misspellings, made up words, or even prepending or appending a "traditional" password gets you even more still.
If you take random words and arrange most of them into a sentence then you drop slightly but you're still okay. If you add any common words like "the" or "was", don't include them in your word count.
While you could boost it with spacing, capitalization, misspellings, etc. you gain very few bits for each modification you have to remember. You're better off tossing a random character or two onto your phrase, or simply making it a word longer.
> English text has between 0.6 and 1.3 bits of entropy for each character of message.
For comparison if you used a random string of alphanumeric characters it will have lg(26 + 26 + 10) = 5.7 bits per character.
So if your password is drawn from an english corpus, if the low end of the estimate is correct, it's only about as strong as a random password 9 times shorter (or 4 on the high end).
But of course we don't want a grammatical english password. Question is how much entropy does our meat-based random generator actually lose due to language bias compared to random word selection from an english dictionary (which I don't disagree with the analysis of as long as it's machine generated).
For instance, having a password like 'unterwasserboot-sparkle-mocidade-yogurt'.
It seems like multilingual folks would be at a distinct advantage here ... at least until you forget which of the words in your password was in which language, and you end up with 'submarine-faisca-jugend-yogurt' instead :)
BIP39 generates 12 word or 24 word mnemonics usually.
This was just a small project I did, and hasn't been checked for correctness. However, it should give you an idea of how you can generate word sequences.
which would be even more secure and just as easy if not moreso to remember?
Losing the password store isn't a problem either. It has a git remote on a USB stick. There's a backup if it's ever lost.
The touch setting is specific to OpenPGP keys. If you set it, it works that way for all uses of your OpenPGP key. You can turn it on to see if you like it. If you do, you can also set it to 'fix.' Once fixed, it can never be turned off again without deleting the private key and starting over.
EDIT: irremediable posed the same question at the same time ;-)
Works okay on Mac OS with GPGTools and QTPass.
Such attack is more attractive and more effective the more people use this specific method.
If you use site name as the passphrase and fixed password ("password" below) instead, you end up with:
I think the "usual" case is that hackers want to get as many passwords as possible, and so singling out an individual for analysis is probably not worth the time, unless you're an "individual of interest" for some reason.
When auto-generating password managers gain mass adoption, there won't be much point to cracking password hashes. Presumably, one would use a different password for everything in that scenario, which makes the clear text password basically useless anyway.
That's why you don't. Give a 64ki word dictionary from your native tongue to your computer and let it choose four words uniformly at random out of it. This gives you a password from a distribution with 64 bits of entropy, and is reasonably easy to memorize with moderate effort.
This means an attacker is expected to proceed to 2\\63 hashes to crack such a password. It would take almost 4 year to crack its MD5 digest on the rig used in the demonstration. If you not using a password manager for external sites (which might not use proper KDFs), you can throw in a fifth word, and be safe for the foreseeable future.
If you pick 6 words, even from a limited set such as Diceware your phrase is good enough.
I'd be interested to read about any successful attacks against 6- or 7- word diceware phrases.
> Even a GPU cluster from December 2012 could, depending on the cryptographic hashing algorithm used to protect plain-text passwords, cycle through 350 billion guesses per second. Referring to that project, Reinhold wrote, "They claim they can crack a random 8-character password in under six hours. At that speed, attacking a 5-word Diceware passphrase would take on average of 7,300 hours or 10 months to find the correct passphrase, assuming they knew you were using Diceware and developed equally efficient software designed to try only valid Diceware words."
> Further, he noted that "Criminal gangs have built botnets from thousands of computers infected with their malware. Marshaling large numbers of these computers they control might allow them to crack a five word passphrase in a reasonable amount of time." (Gosney's 25-GPU cluster attacked the NTLM cryptographic algorithm that Microsoft has included in every version of Windows since Server 2003. It's known to be much more vulnerable to cracking than other algorithms. Gosney's machine wouldn't perform as fast against PBKDF2, for instance.)
> UPDATE: In a followup e-mail to Ars, Gosney noted that "The figures are based on a brute-force attack that targets a single hash. Due to the nature of GPU computing, attacks that combined multiple words are potentially much slower." At the moment, "Since there are no tools that currently combine three or more words, we don't really know for sure how much slower it would be."
Nobody competent will use md5 and no hash to store password. And even if you are not competent, most frameworks providing auth will have sane default today.
So "correcthorsebatterystaple" is still a very good practice:
- if the auth is correctly implemented, it's still the best ratio for price/safety.
- if the auth is not, you are fucked in so many ways that you password size is the least of your concern.
Diceware uses a 7776 word dictionary. How insecure is a 6 word diceware passphrase? That should give 77 bits of entropy.
If you are really smart you will begin using a password manager like 1Password or Keepass to generate and database your passwords across devices.
People have gotten their Bitcoin wallets owned with 60-character passphrases, because they used phrases that appeared in a Web crawl. Number of characters is not the important thing.
That said, your point is valid and it's possible you're right.
The real issue is how different OS and applications handle character encoding and KDF. A good example is WinRAR which does not allow full width CJK characters to be typed in the password field of its UI but one can copy and paste in anything and it will be accepted. Decryption will work on some OS/version combinations but not all.
I was more curious about extending the characters past alpha numeric / special characters, to include Chinese characters as well. That would open up the number of characters required to brute force and probably result in relying on a collision. Until technology catches up.
> Are reposts ok?
> If a story has had significant attention in the last year or so, we kill reposts as duplicates. If not, a small number of reposts is ok.