A better way to think about passwords

Hedge Hog hedgehogshiatus at gmail.com
Mon Apr 18 03:25:21 CEST 2011

On Mon, Apr 18, 2011 at 10:15 AM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>> Correct. But do you claim the ideas are shenanigans:
> The idea of "use several words in a combination that's only meaningful and predictable to you" is a good one.  That's not in debate.  The idea of "this is fun" being a passphrase that will require 2,500 years of attacks to break is just absolute balderdash.

OK, but to my mind 'this is fun' is an example of the idea.  But we
differ on definition of idea, so it is likely won't agree on whether
the '2,500 years' is a incorrect illustration of an idea or an
incorrect idea :)

>> Example: What do you make the _expected_ secure time _estimate_ of:
>> a) three four letter words say: muck, ruck, puck?
>> b) make them memorable: the puck in the ruck in the muck?
> Can't be answered.  In what kind of a system?  What kind of technology can the attacker employ?  Does the attacker have any knowledge about what the key material is probably like ("cribs", in cryptanalytic jargon)?  What kind of budget?  What's the attacker's skill level?  What's... etc.

I'd be interested in the result that comes from the same assumptions
you just used to refute his calculations. That is those that gave you
the result 'equals ten seconds to break it -- not the 3 minutes he

> If we assume the attacker knows you're using English or something close to it, then I'm going to estimate it at about 2.5 bits of entropy per glyph, or about a billion combinations for a 20-character passphrase.  This is enough to stymie a high school student who's running a brute-forcer he wrote in pure Python running on a single terminal in his high school computer lab, but it's literally seconds of work for a major corporation that can easily throw a thousand terminals running hand-tuned Assembly brute-forcers at it.

I am genuinely interested in _roughly_ how much 'expected secure time'
the phrase 'the puck in the ruck in the muck' (eight words) would buy
you over some random 8 letter string.
Don't go overboard on 'the Science'.  Twenty minutes with someone
'suitable' - maybe even your high school student - and a $5 budget for
a hammer and they _will_ have your passphrase/password, or your life.

Best wishes


πόλλ' οἶδ ἀλώπηξ, ἀλλ' ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
  Archilochus, Greek poet (c. 680 BC – c. 645 BC)

More information about the Gnupg-users mailing list