There is no limit on the length of a passphrase,

Morton D. Trace classpath at arcor.de
Wed Oct 22 15:40:30 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert J. Hansen wrote:
> John W. Moore III wrote:
>> Robert is a professional Mathematician and actually _loves_ Numbers.
> 
> I'm a software engineer nowadays, although my college degrees are on the
> math-heavy side of theoretical computer science.  I think it's fair to
> call me a mathematician, but I'm not sure I can be said to do it
> professionally.
> 
>> You _will_ learn if You read/study the Answer from a Guy who buys gas
>> and I'm sure occasionally says to the Cashier "gimme a Quick Pick on
>> the Fantasy 5" knowing full well that the odds of winning are a
>> gazillion to 1.
> 
> Actually, there's a funny story about the last time I did that.  I was
> delivering a paper on destructive visual cryptography, and was stumbling
> around to find a 'feelie' to distribute to the profs to make it more
> tangible for them.  Then I figured it out: scratch-off lottery tickets,
> appropriately marked up.  That led to my last lottery purchase.
> 
>> entropy?  CPRNG?  glyph?  Please bear in mind that this is a 'public'
>>  List and if at all possible Post in 'laymen's terms' or risk
>> confusing Every One else who reads this forum.  All the terms/words
>> are valid but without Full explanation You are attempting to benefit
>> without 'sharing' with everyone else.  [soapbox put away]
> 
> Sorry -- explanations follow.
> 
> Entropy is uncertainty, represented as the logarithm base-two of how
> many possibilities there are.  For a random person, their driver's
> license has either 'M' or 'F' as your sex, so they have one bit (log2 of
> 2) of entropy (uncertainty) in their gender.
> 
>   (Fun fact: you can tell mathematicians apart from computer
>   scientists by asking them for the fundamental unit of
>   entropy.  A CS guy will say the 'bit'.  A math guy will
>   say the 'nat'.  The mathematics version of entropy is
>   found by computing the natural log of the possibilities,
>   not the log-base-2 of the possibilities.  Hence, 'nat'.
>   There are about 1.44 bits per nat.)
> 
> A good passphrase will have 64+ bits of entropy.  A great passphrase
> will have 128 bits.  There's not much point beyond that.
> 
> Glyph = one symbol in a language.  It could be a single English letter,
> a single Chinese ideogram, or a single Hangul phoneme.  The more glyphs
> in your passphrase, the more entropy you have (usually).  English
> accumulates about 1.5 bits of entropy per glyph.
> 
> CSPRNG = cryptographically secure pseudorandom number generator.  An
> algorithm that spits out random-looking garbage.  Different from a PRNG,
> in that a cryptanalyst can often "break" (learn how to predict) PRNG
> outputs; but CSPRNGs are hardened against these attacks.
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



Dear Mr. Hansen

here are some random 20char ASCII pass phrases



bash-3.00$ apg  -a  1  -M  S  -n  20  -m  20
^;@_*-<|./|;&/._;}.!
?<&!\+~&;[//.~_-!|+]
%/<|;*=#&_).$<$;~.}*
- -$/\&{%#$){. at -_~.:}]
%\#`%%.[<&~!"*~}>.'_
&>$\({-`]$$``/^):|\^
:}$~$],|?)&>^`!>!:.,
)+'[,/=*':%("|-{.?/!
<!>!-_'/^?^?&>|?#'|&
- -:,&~,}**[%%(*=<[&*?
&'*+|]`|";/^*'!+#%`.
/<:="$?(#&`([<)&:"|*
\&.("^.#@>|/({(:%^;<
[,`'[%>;\/"('`_$`:}~
*;!!/*=([`]/-?'.{^;*
*"_`,{&`^+^[-):%@~.;
%()"-*!@*{[?#=<-('{`
(%(<`}{!!)#>#/*">(&@
]+#$!&+/![\(/;}.";>!
]\/\+}./);_"$;|^>.)@
bash-3.00$ apg -v
APG (Automated Password Generator)
version 2.2.3 (PRNG: X9.17/CAST)
Copyright (c) 1999, 2000, 2001, 2002, 2003 Adel I. Mirzazhanov




What is the entropy ?
of the passphrase and each glyph?

If I insert one or more blanks the entropy will increase, but how much
and regardless of one additional blank or 10 extra blanks?

assuming I will not exceed 20 chars?

How many bits of entropy per glyph
and for the entire passphrase?

What is my gain in entropy for {0,1,2,3....} randomly and ordered
inserted blanks?

Please?

How much entropy can I at a maximum have
for a 20 char ASCII pass phrase?
which means 20 hits on the keyboard?

for a C and PERL programmer
used to read regular expression this should be pronounceable.


&>$\({-`]$$``/^):|\^

and at the end it is piped to a backslashed power function?

I can even see the warning of the PERL interpreter
but lets assume this is regex from the next version of PERL.




Sincerely yours,

Morten Gulbrandsen

主バイトホイットフィールド
_____________________________________________________________________
Java programmer, C++ programmer
CAcert Assurer, GSWoT introducer, thawte Notary
Gossamer Spider Web of Trust http://www.gswot.org
Please consider the environment before printing this e-mail!








-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
Comment: For keyID and its URL see the OpenPGP message header

iEYEARECAAYFAkj/LU4ACgkQ9ymv2YGAKVSrvACg4xWr2tUl0qOADF9VX8TJED+f
cyIAnjoCiLgEaoLybTgQ4S21db5uq2Od
=j1lt
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list