| Walt Mankowski via plug on 23 May 2022 16:06:36 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Correct Horse Battery Staple |
On Mon, May 23, 2022 at 03:48:36PM -0400, Rich Freeman via plug wrote: > On Mon, May 23, 2022 at 3:29 PM Walt Mankowski via plug > <plug@lists.phillylinux.org> wrote: > > > > 1Password has a feature where it suggests random passphrases of n > > words. I refresh it a few times until I see a set that make some sort > > of sense together in my head, and go with them. But hey, whatever > > works! > > I'll preface this by saying that it is hard to say how much of an > issue this is, but this was something that was brought up as a > criticism of the xkcd method. The entropy of randomly chosen words is > in fact what was said in the cartoon, so if you have an RNG output > four words and use those four words as your password, you should be > secure. > > However, the moment you start going through sets of suggestions to > pick a set that is easier to remember, or especially if you start > mixing and matching one word from this set with another word from that > set, or just adding your own words in place of one from the RNG, then > you're greatly reducing the entropy of the resulting passphrase. > Instead of four random words, you now have four words that have some > kind of association, and the set of those is far less than the number > of words in the dictionary raised to the fourth power. > > As an analogy I just ran pwgen and one of its passwords was: > Hoh0wa3x > > Maybe that is hard to memorize so I change it to Ho0ray. Clearly the > entropy of that is far less than what I started with, and not just > because it is shorter. > > That is the hazard with passphrases. The more you adjust them using > your brain, the more likely it is that somebody can predict it by > using some kind of source of word associations, like words found near > each other in all public domain books or something like that. I totally agree. That's why I like what 1Password does -- it gives you n random words that you can construct your own meaning around. As an example, I just went into the app and had it suggest a 3 word "memorable password". One set of 3 words it came up with was mutiny-dandy-veer Those words don't really have anything to do with each other, but it's easy (at least for me) to remember it by imaging a mutinous sailor wearing a fancy uniform steering a tall ship into a dock. Of course you can make it even harder to guess by some of the characters with digits, capital letters, or punctuation, or by using more words. I'm just using this as an example. Walt ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug