Laura Creighton writes:
> I think that it is better to take the first letter in every word
> of a memorable phrase so that you do not forget them by mistake.

I was curious how many bits of entropy your phrase method would
produce.  So I took the first volume of Gibbon's _Decline and Fall of
the Roman Empire_ and generated a file containing the first letter of
every word, of which there are 268 776.  gzip -9 was able to compress
this file to 165993 bytes, which is 1 327 944 bits.

I used the following Perl program to generate the initials:
  #!/usr/bin/perl -w
  use strict;
  while (<>) { print substr($&, 0, 1) while /\w+/g }

If we stipulate, for the sake of argument, that gzip was able to
remove all the redundancy in the input (or at least all of it that
might be useful to an attacker), then we get about 4.94 bits per word,
which is pretty darn good --- perfect random selection of lowercase
letters would give us 4.7 bits per letter, and there's a fair amount
of uppercase and some numbers in Gibbon.

An 8-char password generated with 'mkpass' contains 52.6 bits of
entropy.  Using your phrase method, to get an equivalent password,
you'd need 11 characters (the initials of an 11-word phrase), giving
54.3 bits of entropy.  That's not bad.

If you wanted to brute-force passwords generated by this method, gzip
(seeded with 64K of Gibbon or something similar) might not be a bad
place to start.  Just feed the decompressor random noise (and turn off
the CRC checking).

I'm not certain how much entropy using a "memorable" phrase costs us,
but probably not more than five or ten bits, and probably not in an
exploitable fashion.

Would you mind if I posted this message to kragen-discuss?

[She said she didn't mind.]

Reply via email to