On Sat, Nov 29, 2014 at 22:07, Eric Furman wrote:
> OFF TOPIC. This has nothing to do with OpenBSD,
> but a lot of guys here know about this stuff.
> I've done some reading, but still not sure.
> OK, at the risk of looking stupid,which of these passwords is better;
> kMH65?&3
> or
> mylittlelambjumpedovertenredbarns
I think it's a mistake to reverse a password into entropy. If your
pool of possible passwords is sentences from common nursery rhymes,
for example, they may look awesome but in reality there are only a few
thousand possibilities.
Instead, pick a generating algorithm. It can be random letters, random
symbols, whatever. Random words. Random fake words consisting of
alternating consonants and vowels. You know how big the search space
is for each "atom". Divide desired password strength (e.g. 64 bits) by
bits per atom to determine required number of atoms.
For the consonant/vowel example, here's a luajit script that makes
passwords. Even though they are all lower case, they are at least 64
bits "hard".
local letters = {
"c", "k", "t", "tr", "rt", "p", "pr", "d",
"v", "n", "l", "nd", "z", "g", "th", "s" }
local vowels = { "a", "e", "i", "o", "u", "y", "oo", "ee" }
local letterbits = 4
local vowelbits = 3
local wantedbits = 64
local bits = 0
local ffi = require "ffi"
ffi.cdef[[uint32_t arc4random_uniform(uint32_t);]]
local function rand(max)
return ffi.C.arc4random_uniform(max) + 1
end
local atoms = { }
while bits < wantedbits do
table.insert(atoms, letters[rand(16)])
table.insert(atoms, vowels[rand(8)])
bits = bits + letterbits + vowelbits
end
print(table.concat(atoms))
Examples:
treetykaveprethicooputhedu
soonataviceenoopatecoge
gootrozapiceelytrithunula
preezypeendothanundipeesooka
