To make it a bit more memorable, you can generate random word strings with some grammatical structure. Here's a quick script to generate output using different grammar templates: https://github.com/sweis/sentencegen
Here are some sample output lines with > 60 bits of entropy each: * greedily model until overjoyed self till transport* * concerning these burst afterwards dress fretful account* * into myself texture likely twist spooky nut* * innocently jog atop young cry without oranges* * deranged apples obnoxiously delegate atop one gold* * fatally fold towards wholesale nerve off observation* Quite poetic. On Mon, Jul 7, 2014 at 10:18 PM, Tony Arcieri <[email protected]> wrote: > I'm working on a program which authenticates public keys using a symmetric > key derived from a "short authentication string" (five random words). I'm > using scrypt as a KDF in conjunction with a 32-bit random salt (this is > actually the only salt size libsodium's implementation of scrypt will > accept), and encrypting public keys with xsalsa20poly1305 (this will likely > change to chacha20poly1305 soon if you care). The salt is appended to the > ciphertext and both are sent over the wire. > > I'm trying to randomly select a passphrase as users are notoriously > terrible at picking passwords. I've settled on this 4096 "most commonly > used" word list for English (so each word is 12-bits of entropy): > > > https://raw.githubusercontent.com/cryptosphere/confusion/master/wordlists/en.txt > > For now I've somewhat arbitrarily chosen 5 words as being "secure enough" > for authentication purposes. This gives 60-bits of entropy, which serves as > an input to scrypt. > > The short authentication strings I'm generating seem palatable enough to > be easily exchanged in person or over the phone. Here are some samples: > > shared metaphor property sigh capture > yeah gravity cycle struggle parental > recipient briefly payment schedule target > stare educator ally peak employ > > I've also added a refresh button so if the first try gives people too big > a mouthful, they can refresh until they find a palatable enough phrase. > > Some questions: > > - Is 60-bits entropy too little, even "stretching" it with scrypt? > - What scrypt parameters are needed to make this actually secure? > > Keep in mind here the main goal is authentication, not confidentiality. > Once two users have authenticated each other's keys, it doesn't really > matter that much if someone cracks the password, as it would only reveal > their public keys. Once the public keys have been authenticated, the > construct has more or less done its job. > > -- > Tony Arcieri > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > >
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
