I use a password generator of my own design - basically takes the userid,
concatenated with a fairly long secret phrase, and then I do SHA1 and
convert it to base64, giving a password like:
    Acgq75VpCWjdsJaa5abe9JeX3I (don't worry, this isn't a real password to

After Warren's comment about wanting 256 bits of entropy, I fed this
through an online entropy calculator (https://planetcalc.com/2476/ - I
wouldn't feed a real password through anything on the web!), and got 4.29
bits of Shannon entropy (replacing a character with a special character
didn't change the number). Calculating it on a whole web page only gave

So I tried:
    dd if=/dev/random bs=100 count=1|od -c
and the result only gave 5.00 bits

So I'm guessing this isn't what he meant.

http://rumkin.com/tools/password/passchk.php does a version and it says my
fake password above is 130 bits. The 800 bits of random converted to hex
gives 779 bits

So I guess this is what Warren had in mind.  Posting this in case it helps
somebody on the list.

Thanks  ../Dave
fossil-users mailing list

Reply via email to