undefined | Better HN

0 pointspixeloution8y ago0 comments

Just to add to the above comment, a diceware passphrase is MUCH harder to break than most people realize. For example, compare the possible number of combinations:

  Diceware, 6 words          2.2 x 10^23
  Diceware, 5 words          2.8 x 10^19
  Diceware, 4 words          3.6 x 10^15
  a-zA-Z0-9, symbols, 10     4.3 x 10^19
  a-zA-Z0-9, 10char          8.4 x 10^17
  a-zA-Z0-9, 8char           2.2 x 10^15

A 6 word diceware phrase has 100 million more combinations than the 8 character alphanumeric.

0 comments

zeveb8y ago

You might wish to consider these in terms of entropy, which is typically given in bits:

    Diceware, 6 words          77 bits
    Diceware, 5 words          64 bits
    Diceware, 4 words          51 bits
    a-zA-Z0-9, symbols, 10     65 bits
    a-zA-Z0-9, 10char          59 bits
    a-zA-Z0-9, 8char           50 bits

For any remote site, I recommend using 22 characters from [a-zA-Z0-9]; this is 128 bits, and is easily copy-pasteable.

It's highly amusing when a site tells me that such a password is insufficiently complex, given that it will never in the lifetime of the universe be guessed.

MichaelGG8y ago

A 6 word phrase is also over 3x as long as an 8char password.

The entropy calculations are probably generous. The wordlist isn't as long as it looks, because some of the words are strange and people tend to re-roll if they get something like that. It's probably better to assume there's only 1000-2000 "words" people will safely combine.

WorldMaker8y ago

The instructions explicitly tell you not to reroll strange words. Look them up or use them as a mnemonic. Or if you don't like the strangeness in the default diceware word-list, find a word-list you like better. (There are several alternatives including fun ideas like using a foreign language word-list and learning the pronunciations and meanings of those words.)

Also, the combinations list assumes that the attacker knows the method/word-list used to generate the password, which may not be foreknowledge the attacker has access to, especially in cases of giant many account password brute forcing attacks.

MichaelGG8y ago

If you are OK with such words, why not just record the raw dice numbers? Even better, reroll sixes and sum them to get more bits-per-character.

1 more reply

ryanisnan8y ago

This kind of assumes that you're trying to crack a password with the operating assumption that words are indeed not used, that every character is random, and that you wouldn't use some sort of word library to construct passwords.

anonymouz8y ago

No, it doesn't. It assume that you know exactly that the password is a Diceware password. The standard word list has 7776 entries, giving 7776^6 ~ 2.2*10^23 combinations for a 6 word passphrase.

j / k navigate · click thread line to collapse

0 pointspixeloution8y ago0 comments

Just to add to the above comment, a diceware passphrase is MUCH harder to break than most people realize. For example, compare the possible number of combinations:

  Diceware, 6 words          2.2 x 10^23
  Diceware, 5 words          2.8 x 10^19
  Diceware, 4 words          3.6 x 10^15
  a-zA-Z0-9, symbols, 10     4.3 x 10^19
  a-zA-Z0-9, 10char          8.4 x 10^17
  a-zA-Z0-9, 8char           2.2 x 10^15

A 6 word diceware phrase has 100 million more combinations than the 8 character alphanumeric.

0 comments

zeveb8y ago

You might wish to consider these in terms of entropy, which is typically given in bits:

    Diceware, 6 words          77 bits
    Diceware, 5 words          64 bits
    Diceware, 4 words          51 bits
    a-zA-Z0-9, symbols, 10     65 bits
    a-zA-Z0-9, 10char          59 bits
    a-zA-Z0-9, 8char           50 bits

For any remote site, I recommend using 22 characters from [a-zA-Z0-9]; this is 128 bits, and is easily copy-pasteable.

It's highly amusing when a site tells me that such a password is insufficiently complex, given that it will never in the lifetime of the universe be guessed.

MichaelGG8y ago

A 6 word phrase is also over 3x as long as an 8char password.

WorldMaker8y ago

MichaelGG8y ago

If you are OK with such words, why not just record the raw dice numbers? Even better, reroll sixes and sum them to get more bits-per-character.

1 more reply

ryanisnan8y ago

anonymouz8y ago

No, it doesn't. It assume that you know exactly that the password is a Diceware password. The standard word list has 7776 entries, giving 7776^6 ~ 2.2*10^23 combinations for a 6 word passphrase.

j / k navigate · click thread line to collapse