On Sun, Nov 30, 2014, at 03:20 PM, Ted Unangst wrote:
> On Sat, Nov 29, 2014 at 22:07, Eric Furman wrote:
> > OFF TOPIC. This has nothing to do with OpenBSD,
> > but a lot of guys here know about this stuff.
> > I've done some reading, but still not sure.
> > OK, at the risk of looking stupid,which of these passwords is better;
> > kMH65?&3
> > or
> > mylittlelambjumpedovertenredbarns
>
> I think it's a mistake to reverse a password into entropy. If your
> pool of possible passwords is sentences from common nursery rhymes,
> for example, they may look awesome but in reality there are only a few
> thousand possibilities.
>
> Instead, pick a generating algorithm. It can be random letters, random
> symbols, whatever. Random words. Random fake words consisting of
> alternating consonants and vowels. You know how big the search space
> is for each "atom". Divide desired password strength (e.g. 64 bits) by
> bits per atom to determine required number of atoms.
>
> For the consonant/vowel example, here's a luajit script that makes
> passwords. Even though they are all lower case, they are at least 64
> bits "hard".
>
> local letters = {
> "c", "k", "t", "tr", "rt", "p", "pr", "d",
> "v", "n", "l", "nd", "z", "g", "th", "s" }
> local vowels = { "a", "e", "i", "o", "u", "y", "oo", "ee" }
>
> local letterbits = 4
> local vowelbits = 3
>
> local wantedbits = 64
>
> local bits = 0
>
> local ffi = require "ffi"
> ffi.cdef[[uint32_t arc4random_uniform(uint32_t);]]
> local function rand(max)
> return ffi.C.arc4random_uniform(max) + 1
> end
>
> local atoms = { }
> while bits < wantedbits do
> table.insert(atoms, letters[rand(16)])
> table.insert(atoms, vowels[rand(8)])
> bits = bits + letterbits + vowelbits
> end
> print(table.concat(atoms))
>
> Examples:
>
> treetykaveprethicooputhedu
> soonataviceenoopatecoge
> gootrozapiceelytrithunula
> preezypeendothanundipeesooka
Bruce Schneier agrees. :)
According to him modern password crackers find string of word passwords,
like in XKCD, to be easy to crack.
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
But I can't always use a password manager and those passwords are
impossible to remember.
