Re: [PLUG] Correct Horse Battery Staple

Rich Freeman via plug on 23 May 2022 12:48:47 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Correct Horse Battery Staple

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: Walt Mankowski <waltman@pobox.com>
Subject: Re: [PLUG] Correct Horse Battery Staple
Date: Mon, 23 May 2022 15:48:36 -0400
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Mon, May 23, 2022 at 3:29 PM Walt Mankowski via plug
<plug@lists.phillylinux.org> wrote:
>
> 1Password has a feature where it suggests random passphrases of n
> words. I refresh it a few times until I see a set that make some sort
> of sense together in my head, and go with them. But hey, whatever
> works!

I'll preface this by saying that it is hard to say how much of an
issue this is, but this was something that was brought up as a
criticism of the xkcd method.  The entropy of randomly chosen words is
in fact what was said in the cartoon, so if you have an RNG output
four words and use those four words as your password, you should be
secure.

However, the moment you start going through sets of suggestions to
pick a set that is easier to remember, or especially if you start
mixing and matching one word from this set with another word from that
set, or just adding your own words in place of one from the RNG, then
you're greatly reducing the entropy of the resulting passphrase.
Instead of four random words, you now have four words that have some
kind of association, and the set of those is far less than the number
of words in the dictionary raised to the fourth power.

As an analogy I just ran pwgen and one of its passwords was:
Hoh0wa3x

Maybe that is hard to memorize so I change it to Ho0ray.  Clearly the
entropy of that is far less than what I started with, and not just
because it is shorter.

That is the hazard with passphrases.  The more you adjust them using
your brain, the more likely it is that somebody can predict it by
using some kind of source of word associations, like words found near
each other in all public domain books or something like that.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Correct Horse Battery Staple
  - From: Syeed Ali via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Correct Horse Battery Staple
  - From: Walt Mankowski via plug <plug@lists.phillylinux.org>

References:
- Re: [PLUG] Correct Horse Battery Staple
  - From: Lynn Bradshaw via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Correct Horse Battery Staple
  - From: Syeed Ali via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Correct Horse Battery Staple
  - From: Walt Mankowski via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] Correct Horse Battery Staple
Next by Date: Re: [PLUG] Correct Horse Battery Staple
Previous by thread: Re: [PLUG] Correct Horse Battery Staple
Next by thread: Re: [PLUG] Correct Horse Battery Staple
Index(es):
- Date
- Thread