There is no limit on the length of a passphrase,
Morton D. Trace
classpath at arcor.de
Wed Oct 22 15:40:30 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert J. Hansen wrote:
> John W. Moore III wrote:
>> Robert is a professional Mathematician and actually _loves_ Numbers.
>
> I'm a software engineer nowadays, although my college degrees are on the
> math-heavy side of theoretical computer science. I think it's fair to
> call me a mathematician, but I'm not sure I can be said to do it
> professionally.
>
>> You _will_ learn if You read/study the Answer from a Guy who buys gas
>> and I'm sure occasionally says to the Cashier "gimme a Quick Pick on
>> the Fantasy 5" knowing full well that the odds of winning are a
>> gazillion to 1.
>
> Actually, there's a funny story about the last time I did that. I was
> delivering a paper on destructive visual cryptography, and was stumbling
> around to find a 'feelie' to distribute to the profs to make it more
> tangible for them. Then I figured it out: scratch-off lottery tickets,
> appropriately marked up. That led to my last lottery purchase.
>
>> entropy? CPRNG? glyph? Please bear in mind that this is a 'public'
>> List and if at all possible Post in 'laymen's terms' or risk
>> confusing Every One else who reads this forum. All the terms/words
>> are valid but without Full explanation You are attempting to benefit
>> without 'sharing' with everyone else. [soapbox put away]
>
> Sorry -- explanations follow.
>
> Entropy is uncertainty, represented as the logarithm base-two of how
> many possibilities there are. For a random person, their driver's
> license has either 'M' or 'F' as your sex, so they have one bit (log2 of
> 2) of entropy (uncertainty) in their gender.
>
> (Fun fact: you can tell mathematicians apart from computer
> scientists by asking them for the fundamental unit of
> entropy. A CS guy will say the 'bit'. A math guy will
> say the 'nat'. The mathematics version of entropy is
> found by computing the natural log of the possibilities,
> not the log-base-2 of the possibilities. Hence, 'nat'.
> There are about 1.44 bits per nat.)
>
> A good passphrase will have 64+ bits of entropy. A great passphrase
> will have 128 bits. There's not much point beyond that.
>
> Glyph = one symbol in a language. It could be a single English letter,
> a single Chinese ideogram, or a single Hangul phoneme. The more glyphs
> in your passphrase, the more entropy you have (usually). English
> accumulates about 1.5 bits of entropy per glyph.
>
> CSPRNG = cryptographically secure pseudorandom number generator. An
> algorithm that spits out random-looking garbage. Different from a PRNG,
> in that a cryptanalyst can often "break" (learn how to predict) PRNG
> outputs; but CSPRNGs are hardened against these attacks.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
Dear Mr. Hansen
here are some random 20char ASCII pass phrases
bash-3.00$ apg -a 1 -M S -n 20 -m 20
^;@_*-<|./|;&/._;}.!
?<&!\+~&;[//.~_-!|+]
%/<|;*=#&_).$<$;~.}*
- -$/\&{%#$){. at -_~.:}]
%\#`%%.[<&~!"*~}>.'_
&>$\({-`]$$``/^):|\^
:}$~$],|?)&>^`!>!:.,
)+'[,/=*':%("|-{.?/!
<!>!-_'/^?^?&>|?#'|&
- -:,&~,}**[%%(*=<[&*?
&'*+|]`|";/^*'!+#%`.
/<:="$?(#&`([<)&:"|*
\&.("^.#@>|/({(:%^;<
[,`'[%>;\/"('`_$`:}~
*;!!/*=([`]/-?'.{^;*
*"_`,{&`^+^[-):%@~.;
%()"-*!@*{[?#=<-('{`
(%(<`}{!!)#>#/*">(&@
]+#$!&+/![\(/;}.";>!
]\/\+}./);_"$;|^>.)@
bash-3.00$ apg -v
APG (Automated Password Generator)
version 2.2.3 (PRNG: X9.17/CAST)
Copyright (c) 1999, 2000, 2001, 2002, 2003 Adel I. Mirzazhanov
What is the entropy ?
of the passphrase and each glyph?
If I insert one or more blanks the entropy will increase, but how much
and regardless of one additional blank or 10 extra blanks?
assuming I will not exceed 20 chars?
How many bits of entropy per glyph
and for the entire passphrase?
What is my gain in entropy for {0,1,2,3....} randomly and ordered
inserted blanks?
Please?
How much entropy can I at a maximum have
for a 20 char ASCII pass phrase?
which means 20 hits on the keyboard?
for a C and PERL programmer
used to read regular expression this should be pronounceable.
&>$\({-`]$$``/^):|\^
and at the end it is piped to a backslashed power function?
I can even see the warning of the PERL interpreter
but lets assume this is regex from the next version of PERL.
Sincerely yours,
Morten Gulbrandsen
主バイトホイットフィールド
_____________________________________________________________________
Java programmer, C++ programmer
CAcert Assurer, GSWoT introducer, thawte Notary
Gossamer Spider Web of Trust http://www.gswot.org
Please consider the environment before printing this e-mail!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
Comment: For keyID and its URL see the OpenPGP message header
iEYEARECAAYFAkj/LU4ACgkQ9ymv2YGAKVSrvACg4xWr2tUl0qOADF9VX8TJED+f
cyIAnjoCiLgEaoLybTgQ4S21db5uq2Od
=j1lt
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list