On Tue, 30 Oct 2018 at 08:01PM +0100, Kjetil Torgrim Homme wrote: > Den 30. okt. 2018 12:10, skreiv Matthieu Weber: > > On Tue, 30 Oct 2018 at 10:33AM +0100, Kjetil Torgrim Homme wrote: > >> yes, but sometimes you need to enter this password by hand. I use horse > >> battery passwords when I might need to enter the password on a mobile > >> phone or on a console in a chilly data centre in the middle of the > >> night. both of these will often have problems with strange characters > >> or keyboard layouts (is "&" on Shift 6 or Shift 7? since there is often > >> no echo, there is no way to be sure!) > > > > So you want passwords that are easy to type: generate passwords that are > > made entirely of lowercase letters, all you need is 40% more characters > > to have the same entropy as a password made of alphanumerics+symbols > > i.e., 11 characters instead of 8. They will be easy enough to type even > > on exotic keyboards, and can be generated using only tools that pass > > uses already. All you need is to add to “pass generate” an option to > > reduce $CHARACTER_SET to [:lower:]. > > it is not easy to type wahseepienoofac on a mobile phone, IMHO. but > adding periods (not hyphens! the key moves around) will help - not for > entropy, but to make it easier to read and track how far I've gotten: > > wah.see.pie.noo.fac
What about whitespace instead of periods? The period may be located on an awkward key on some keyboard layout, but (I hope) the spacebar is universal. > (I just realised I am lucky that I never have qwertz or azerty in my > environment... that would reduce the number of available letters to 21, > ertuiop/sdfghjkl/xcvbnm, by my count. digits, comma and period brings > the total to 33.) If you consider that you cannot trust the letters printed on the keyboard's keys to know how to type a given character, then you are totally screwed if someone is using dvorak, colemak, bépo, neo, das… you won't be able to have a single usable character for your passphrases :( > >> average length of 13 characters. this doesn't really help entropy, > >> though. 489533 distinct words give 18.9 bits of entropy each, so the > >> above pass phrases (of four words) have 75 bits, or 5.74e+22. still not > >> a huge amount, but the attacker would have to know that this is the > >> method I use to make pass phrases to successfully reduce his search space. > > > > You can get 75 bits of entropy with 16 lowercase letters or 14 > > mixed-case letters. That is surely easier to type than your example. > > it really depends on your keyboard and brain :-) True. But then again, if you trust the way the password is hashed on the remote system, you can allow for a much shorter password, as the hashing algorithm will slow down an attacker to the equivalent of a dozen bits of entropy. Matthieu -- (~._.~) Matthieu Weber - [email protected] (~._.~) ( ? ) http://weber.fi.eu.org/ ( ? ) ()- -() public key id : 0x85CB340EFCD5E0B3 ()- -() (_)-(_) "Humor ist, wenn man trotzdem lacht (Otto J. Bierbaum)" (_)-(_)
signature.asc
Description: PGP signature
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
