[talk] passwd entropy and strength

Jim B. jpb at jimby.name
Sun Nov 5 21:04:25 EST 2017


* Brian Cully <bcully at gmail.com> [2017-11-05 12:32]:
> On November 5, 2017 at 10:03:21, George Rosamond
> (george at ceetonetechnology.com) wrote:
> > Now the first Tr0... passwd has 3.546... bits per byte, and the second
> > correct... has 3.590... Therefore:
> >
> > Tr0.. 3.546 x 12 digits (including space) and is 42.48 bits of entropy
> >
> > correct... 3.590 x 28 digits and is 100.5 bits of entropy
> >
> > This seems to confirm the argument of the xkcd cartoon. The easier
> > passwd correct... has more than double the bits of entropy and is easier
> > to remember.
> >
> > The problem with that argument, however, is the same problem with
> > Diceware. The words, like Diceware, are all in standard US English
> > dictionaries, and most methods of bits/entropy calculation doesn't take
> > that into account. Both xkcd and Diceware only use a "26 character
> > universe", ie, they limit their content to lower-case alphabet English.
> > So what may look better in terms of some calculations, doesn't add up
> > when it comes to determining patterns, ie, English words.
> >
> > So someone getting some of the passwd really just needs a "Wheel of
> > Fortune" approach to determining a passwd in full.
> >
> > co__ect ho_se batte_y staple
> >
> > "Can I buy an 'r'?"
> >
> > And "universe" is one of the criteria I think matters for password
> > strength. All ASCII printable characters is a 95 universe, which is much
> > better over the 26 in a lower-case (or upper-case) US English alphabet one.
> >
> > Length matters, of course, but I think it's too often the main criteria
> > for users and sysadmins, and the think that intimidates users the most.
> >
> > But it's third criteria that matters in this case, what I call
> > "diversity", ie, can you find it in any dictionary? Does it contain
> > common digraphs (in english, th, ng, st, etc). Both xkcd and Diceware do.
> 
> 	The argument in XKCD, as you???ve mentioned, is finding a more optimal
> entropy:memory ratio, since hard-to-remember passwords tend to be
> easier to guess by reading post-it notes.
> 
> 	I???m a fan of the short english-ish sentence approach. However, it
> doesn???t have anywhere near the entropy you have calculated up above.
> The reason is that if it???s known they???re English words, which you
> should assume in order to calculate minimum entropy, then there???s a
> lot less variation.
> 
> 	/usr/share/dict/words has 235,886 entries on my Mac. That???s ~17.847
> bits of entropy per word. The average English speaker???s vocabulary
> seems to hover at about 15,000 words, which is ~13.872 bits of entropy
> per word. Multiply that by 4 and you get ~55.5 bits of entropy. Not a
> huge improvement over the mixed number-letter case.
> 
> 	I am a big fan of this approach, though, since the
> bits-of-entropy-per-bits-of-neuron ratio is really high. Our brains
> are made for remembering language, and while scrambles of words aren???t
> ideal for recall (vs real grammatical sentences), they???re a /lot/
> better than what amounts to random letter substitution.
> 
> > The conclusion, to me, is that getting users to use the whole ASCII
> > universe of 95 characters with diversity is an achievable goal, and
> > removes the easy brute force dictionary attacks so common.
> 
> 	I???d rather see longer strings of words, personally, since I think
> it???s more efficient when meat-space storage is taken into account. My
> ideal circumstance is basically to have a well-remembered sentence
> that acts as a master password to 1Password or Keychain or something,
> and then offload literally all of the rest of the completely random
> and un-rememberable passwords to that.
> 
> -bjc

Almost agreed.  I agree with the master password and password vault.
The "ease-ability" of remembering all passwords though is moot, IMHO.
I say this for several reasons.

 - The only time I need a password is when I *use* a password.  Since
   I'm actually on a computer every single time I actually need a password
   (discounting ATM PINs) I've concluded that the best strategy is to
   have a reliable password vault, so I created my own.

 - The hash cracking community (let's restrict our discussion to non 3LAs)
   has implemented extremely sophisticated hardware/software cracking
   platforms.  Visit hashcat.net for details.  I've personnaly gone
   through (ok, sampled) the results from just the RockYou hack, and the
   there are many examples of the "correct" variant above.  Since these
   are now part of well known word lists, you wouldn't want to use any
   of those again.  Let's hope the one you last thought of isn't in there.

 - Using a keyboard, you are usually restricted to ASCII 32-127, and in
   a lot of cases with websites, you are sometimes further severely
   restricted in case/number/specials.  This limits your ability to create
   complex passwords, and has the reverse (perverse!) impact of making
   them easier to crack.

 - Like George, I'm very interested in generating and using very hard to
   guess passwords.  Along with the password vault mentioned above, I
   have implemented my own complex password generator with nothing more
   than dd(1), tr(1), and fold(1):

   (export LC_ALL=C; dd if=/dev/random count=10 bs=1K | tr -cd "[:print:]" | tr -d " " ) | fold -w $LEN

   A few samples:
      #]_V\EZLxj1r;Bvd
      ~5r]&-2!{)T:v at M-
      {2kiK/T;(Sa6PP/]
      +<=\DQ6OM1Vjjo&_
      >09Y&.&Hvnw1WDo@
      !S_R3p-*rUU5mwwe
      &dJ]~`,I|aX7X4+)
      -K)!lN2TzA3*L*&@
      ."<^1RVD/0a4D7Pk
      "kjfJ]`YPvULQn1s
      KRug+zp1*JLlt#F]

So, for now, I'm done with remembering the gazillion passwords I need.
I only need to remember my own master password to my own vault.  Since
it's all on my own TrueOS box, I'm happy with my own attack surface at
the moment (except for that one thing https://xkcd.com/538/).

Best,
Jim B.




More information about the talk mailing list