A better way to think about passwords

Robert J. Hansen rjh at sixdemonbag.org
Mon Apr 18 02:15:12 CEST 2011

> Correct. But do you claim the ideas are shenanigans:

The idea of "use several words in a combination that's only meaningful and predictable to you" is a good one.  That's not in debate.  The idea of "this is fun" being a passphrase that will require 2,500 years of attacks to break is just absolute balderdash.

> Example: What do you make the _expected_ secure time _estimate_ of:
> a) three four letter words say: muck, ruck, puck?
> b) make them memorable: the puck in the ruck in the muck?

Can't be answered.  In what kind of a system?  What kind of technology can the attacker employ?  Does the attacker have any knowledge about what the key material is probably like ("cribs", in cryptanalytic jargon)?  What kind of budget?  What's the attacker's skill level?  What's... etc.

If we assume the attacker knows you're using English or something close to it, then I'm going to estimate it at about 2.5 bits of entropy per glyph, or about a billion combinations for a 20-character passphrase.  This is enough to stymie a high school student who's running a brute-forcer he wrote in pure Python running on a single terminal in his high school computer lab, but it's literally seconds of work for a major corporation that can easily throw a thousand terminals running hand-tuned Assembly brute-forcers at it.

More information about the Gnupg-users mailing list