On 2016-12-17 17:43:12, Brian Candler wrote: > On 17/12/2016 22:02, Antoine Beaupré wrote: >> a 18 bytes password contains (naturally) 144 bits of entropy and >> base64 turns that in a 25 character password > base64 turns each group of 3 bytes into 4 characters, so 18 bytes => 24 > characters
ah. yes. i was counting the last = sign, sorry. >> base64 passwords are more portable and incur only a ~13% size increase >> compared to original byte stream. > > 4/3 = 33% increase oops. yes, that is more accurate. > But anyway, I'm happy with the proposed approach for default password > generator. Undoubtedly there will be people who want something else, so > it would be good if it could be pluggable. yes, maybe that is what i should have worked on instead. :) > (Aside: I don't actually see any need for entropy > 96 bits: brute > forcing 2^95 combinations, at a trillion attempts per second, would take > 1.25 billion years. But I suppose burning a bit more entropy and storage > does little harm) well, i was just trying to avoid changing the default (and it looks like i failed at that too :). that said, having long password *does* a little harm: it won't work, by default, in certain sites that have obtuse password policies (e.g. "max 16 characters, which is around, coincidentally, 96 bits of entropy in my proposed algorithm). in very old and ackward /dev/random implementations, it could also deplete the entropy pool, but if you are running such a platform, you will likely have other problems to worry about. A. -- When I came back to the United States, I decided that if you could use propaganda for war, you could certainly use it for peace. And "propaganda" got to be a bad word because of the Germans using it, so what I did was to try and find some other words so we found the words "public relations". - Edward Bernays _______________________________________________ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store