passphrase or random characters the safest

Per Tunedal Casual pt at
Sat May 28 10:12:20 CEST 2005

Hash: SHA1

I once again ponder over wether a passphrase is safer than a string of
random characters.

It's easy to compute the strength of a random string  of characters. About
20 - 25 characters (a-z, A-Z, 0-9 and special characters) would correspond
to a 128-bit symmetric key.

But what about a passphrase. Many people argue that a random looking
password of the initials in a passphrase is fairly safe:  Byu!IAiw?Tai42 .
But it could be attacked with a dictionary attack, "because it comes from
real words". How safe is it then?

A plain text sentence would be worse, because it would be more easily
attacked, some people argue.

But I read a discussion about TrueCrypt and someone argued:
"You could create a "real sentence" from ANY randomly generated password,
since any letter in the password could be the first letter of literally
*thousands* of words. So how could a dictionary attack differentiate
between the password mentioned above, and a truely random one?"

I would argue that:

1.  Five (5) random words would be safer than a random string of 20
characters. There are far more words than there are characters. The entropy
for each word would be about 12.9 bits according to the diceware page . A character would have an entropy of 1.9.

2. In an ordinary sentence, each word would have an entropy of 1-1.4 bits.
If we set the entropy to 1.2 we would need approximately 38.53/1.2 words =
32 Words, if the entropy is 1.4 only 27 words!
Why so many words? Because words are easy to guess with help of the context.

A passphrase of 10 words would be OK if the entropy was 3.9 - it must seem
fairly random then. An entropy of 7.7 would make 5 words sufficient.

I prefer passphrases because they are easier to remember than 20 random
characters. True random words are slightly harder to remember than a phrase.

How to make a short passphrase look random enough?
How can I compute the strength (entropy)?

Is experiments with live persons guessing passphrases the only way to
compute the strength? Do you know of any such experiment? Or can you set up
one at your university? It would be very interesting to compare different
strategies of randomising the passphrase.

Per Tunedal
Civ. ing. Civ. ek.

S:t Mickelsgatan 148
129 44 Hägersten
Telefon: 08-646 34 83

Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959
Comment: Vad är en PGP-signatur?


More information about the Gnupg-users mailing list