passphrase or random characters the safest

Oskar L. oskar at
Mon May 30 20:58:05 CEST 2005

"Roscoe" <eocsor at> wrote:

> Lets say there are about 100000 words in your dictionary. Lets also
> say there are about 100 different characters on your keyboard.
> Now for password of random characters we would need:
> log(340282366920938463463374607431768211456)/log(100) 20 chars.
> For a password of random words we would need:
> log(340282366920938463463374607431768211456)/log(100000) 8 words.
> So I'm going to have to disagree with your 5 words is better then 20
> letters[1]. Even if we use a 500000 word dictionary (eg: the number in
> the OED) then thats still 7 words.
> Now, thats with randomly picked words. If you want to have some
> coherence to your string of words then thats only going to increase
> the number of words needed.

If you want to use words, then I would suggest that you select them from
different languages. Then the attacker will have to use a very large
dictionary, one containing all words from all languages, if she or he
don't know or can't guess from witch languages you have selected your
words. This kind of passphrase will still be relatively vulnerable to a
brute force attack, since the attacker can limit the characters used in
the attack to letters, so throwing in a few special characters between the
words is a good idea.


More information about the Gnupg-users mailing list