On 02/05/2014 06:09 PM, Joseph Bonneau wrote: > Good project idea Trevor. There are a lot of related tools which aim to > make random pronounceable passwords. Two for Linux are: > > pwgen: zae7IiB7 phoosu1U Hu5meed8 aeY4eeGu oht6ax9M aD4taur4 Ohpai5sh > sheiGah8 > apg: odripAbag6 (o-drip-Ab-ag-SIX) AzMykUpt3opo (Az-Myk-Upt-THREE-op-o)
pwgen is pretty deeply flawed, if the discussion on oss-security is to be believed: http://thread.gmane.org/gmane.comp.security.oss.general/10265 http://thread.gmane.org/gmane.comp.security.oss.general/11171 http://www.openwall.com/lists/oss-security/2012/01/22/6 I haven't reviewed apg with any of the approaches described in the above thread, but i've also seen other (non-published) "pronouncable" password generators that were similarly flawed from an entropic/cracking perspective. > In general, I think it would nice to have a library for turning random bits > into "human-friendly form". This might include a tradeoff for > length/painlessness, but we would also surely get different results if we > optimize for: > a) easy for humans to spot differences > b) easy for humans to pronounce/hear/type > c) easy for humans to remember > > We would also probably end up with a different algorithm for different > language populations... This sounds like a major project. i don't think "length/painlessness" is the right way of framing the tradeoff though -- in particular, i think you'd want to use some measure of entropy or dictionary-cracking-resistance in place of the idea of "length". There are lots of pronouncable schemes that provide long passwords but not particularly high entropy :/ --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
