-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 23:13 2005-05-31, Per Tunedal Casual wrote: >`--------------------------------------------------------------------- >-- >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >At 20:58 2005-05-30, you wrote: > >"Roscoe" <[EMAIL PROTECTED]> wrote: > > > >> Lets say there are about 100000 words in your dictionary. Lets > >> also > >> say there are about 100 different characters on your keyboard. > >> > >> Now for password of random characters we would need: > >> log(340282366920938463463374607431768211456)/log(100) 20 chars. > >> > >> For a password of random words we would need: > >> log(340282366920938463463374607431768211456)/log(100000) 8 words. > >> > >> So I'm going to have to disagree with your 5 words is better then > >> 20 > >> letters[1]. Even if we use a 500000 word dictionary (eg: the > >> number in > >> the OED) then thats still 7 words. > >> > >> Now, thats with randomly picked words. If you want to have some > >> coherence to your string of words then thats only going to > >> increase > >> the number of words needed. > > > >If you want to use words, then I would suggest that you select them > >from > >different languages. Then the attacker will have to use a very > >large > >dictionary, one containing all words from all languages, if she or > >he > >don't know or can't guess from witch languages you have selected > >your > >words. This kind of passphrase will still be relatively vulnerable > >to a > >brute force attack, since the attacker can limit the characters > >used in > >the attack to letters, so throwing in a few special characters > >between the > >words is a good idea. > > > >Oskar > > > > >Thank you Oskar for this idea - it's new to me. Increasing the search >space >by using several languages is a very easy way to improve the security >of a >passphrase or a collection of random words. Some one who wants to do >some >calculations? What about say 1, 2, 3, 4 and 5 languages. How many >random >words are needed to match a 128 bit key? > >Per Tunedal > I will answer my own question:
Diceware contains 7776 short English words, abbreviations and easy-to-remember character strings. If you use 1 language: log2(7776)=log(7776)/log(2)=3,8908/0,3010=12,92 bits 128/12,92=9,9 words = 10 words If you use 2 languages: log2(2*7776)=log(15552)/log(2)=4,1918/0,3010=13,92 bits 128/13,92=9,9 words = 10 words If you use 3 languages: log2(3*7776)=log(23328)/log(2)=4,3679/0,3010=14,51 bits 128/14,51=8,8 words = 9 words If you use 4 languages: log2(4*7776)=log(31104)/log(2)=4,4928/0,3010=14,92 bits 128/14,92=8,6 words = 9 words If you use 5 languages: log2(5*7776)=log(38880)/log(2)=4,5897/0,3010=15,25 bits 128/15,25=8,4 words = 9 words Three languages and 9 words is the optimal choice. The creator of Diceware suggest a password corresponding to only 64 bits as a practical choice: "Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day." 64 bits would give (after correcting calculations): 10 random characters including special characters. 11 random CAPS, small characters (a-z) and numbers (0-9). 13 random small characters (a-z) and numbers (0-9). 14 random small characters (a-z). 20 random numbers (0-9). 5 random Diceware-word (one language) An English phrase with 54 words. That's a convenient guide, isn't it! Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Vad �r en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCoyXUpPsTvNtsBX8RArjEAJ9OrKxtEbbGNKpfTdUBlJH9ieqvLgCdG2UH 6avzsQ4Ooks01djtsjgGW6E= =cfch -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
