# There is no limit on the length of a passphrase,

Robert J. Hansen rjh at sixdemonbag.org
Wed Oct 22 14:15:13 CEST 2008

```John W. Moore III wrote:
> Robert is a professional Mathematician and actually _loves_ Numbers.

I'm a software engineer nowadays, although my college degrees are on the
math-heavy side of theoretical computer science.  I think it's fair to
call me a mathematician, but I'm not sure I can be said to do it
professionally.

> and I'm sure occasionally says to the Cashier "gimme a Quick Pick on
> the Fantasy 5" knowing full well that the odds of winning are a
> gazillion to 1.

Actually, there's a funny story about the last time I did that.  I was
delivering a paper on destructive visual cryptography, and was stumbling
around to find a 'feelie' to distribute to the profs to make it more
tangible for them.  Then I figured it out: scratch-off lottery tickets,
appropriately marked up.  That led to my last lottery purchase.

> entropy?  CPRNG?  glyph?  Please bear in mind that this is a 'public'
>  List and if at all possible Post in 'laymen's terms' or risk
> confusing Every One else who reads this forum.  All the terms/words
> are valid but without Full explanation You are attempting to benefit
> without 'sharing' with everyone else.  [soapbox put away]

Sorry -- explanations follow.

Entropy is uncertainty, represented as the logarithm base-two of how
many possibilities there are.  For a random person, their driver's
license has either 'M' or 'F' as your sex, so they have one bit (log2 of
2) of entropy (uncertainty) in their gender.

(Fun fact: you can tell mathematicians apart from computer
scientists by asking them for the fundamental unit of
entropy.  A CS guy will say the 'bit'.  A math guy will
say the 'nat'.  The mathematics version of entropy is
found by computing the natural log of the possibilities,
not the log-base-2 of the possibilities.  Hence, 'nat'.
There are about 1.44 bits per nat.)

A good passphrase will have 64+ bits of entropy.  A great passphrase
will have 128 bits.  There's not much point beyond that.

Glyph = one symbol in a language.  It could be a single English letter,
a single Chinese ideogram, or a single Hangul phoneme.  The more glyphs
in your passphrase, the more entropy you have (usually).  English
accumulates about 1.5 bits of entropy per glyph.

CSPRNG = cryptographically secure pseudorandom number generator.  An
algorithm that spits out random-looking garbage.  Different from a PRNG,
in that a cryptanalyst can often "break" (learn how to predict) PRNG
outputs; but CSPRNGs are hardened against these attacks.

```