Penelope Pitstop wrote:
Since DiceWare yields lowercase pass phrases with a single random special character, they are far easier to type, particularly on iOS devices. This makes them ideal for your requirement. I strongly recommend you give it a try.
enhztytgabmqjkqfxkoveaxgpmducsvpixwlhjubrfxrynwcdz is "medium."
1Dog&1Cat!! is "super strong."
I think they need to improve their algorithm.
Maurice Kelly wrote:
I will certainly give the Diceware technique a go for my 1Password master password.
Unfortunately it's not suitable for things like my Windows domain passwords. Our corporate policy is that we have to include at least 1 capital letter, at least one numeral, and we can't have any repeating characters (which you can get through Diceware).
One limitation of this kind of software is that the question "what is the entropy of this particular password" is not actually answerable. We have to know the how large the "space" of alternative passwords is.
But a randomly generated 8 character password from the full set may not contain any digits at all. (I'm to lazy to calculate the odds of that happening, but I'm confident that it is a realistic possibility.)
I'm not sure about the straight division by 4 for user generated passwords. I think it is safe to say that the longer a user generated password is, the fewer bits of entropy per character there will be. So I think the amount you divide by needs to be an increasing function of the password length. So instead of@combinations = @charset**@length
@combinations /= 4 if user_gen
It should be something like@combinations = (@charset/@user_gen_factor)**@length
As long as @user_gen_factor is greater than 1, this will have an increasing penalty with the length of a under generated password.
@combinations = @charset**@length
@combinations /= 4 if user_gen
@combinations = (@charset/@user_gen_factor)**@length
I think that this is the biggest issue. We do a simple dictionary check in our password strength tester, but of course it is limited to only a few languages and doesn't check for spelling errors.
Unless you have a very long lists of verbs, adjectives, and nouns this might be a real problem. The diceware list has 65 (7776) words, so a three word diceware password has 615 (about 470 billion) possible passwords (about 40 bits of entropy). If you want to match that with VERB ADJECTIVE NOUN then you will need 65 of each type of word. Finding 7000 English verbs may be a challenge.
Thanks, Jeff! You had a lot of good points.
Do you mean that you could choose a password randomly from a characterset of letters and numbers and possibly get only letters? In that case, it's better to look at the actual password because that is what is being attacked. If you don't have numbers in your password, then it will be easier to crack, even though you chose from a larger characterset. Sorry if I misunderstood that.
I've since added a dictionary component as well. I just released a simple web app here (sometimes it's a little slow to load) that tests passwords against a 289,000-word English dictionary (including misspellings and common passwords) and a 176,000-word dictionary of names. It also checks for common letter substitutions and prepending or appending symbols. It also will make a brute-force calculation and display the chance of your password being cracked in a given time period.
There's also several options you can play around with to try different situations. You can read more about it here, where you will also find a link to the source code on Github and a link to a download of my English dictionary in case anyone wants to run it on their own computer. I have many more dictionaries to add, so let me know if there's interest in posting them. I had a ton of fun on this project, and I hope people find it interesting and informative.
You're right that there might not be enough verbs