Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Jean-David Beyer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/25/2015 12:50 PM, Ingo Klöcker wrote:
> On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote:
>> Hello,
>> 
>> I do not fully understand why some 4 random words like
>> 
>> Correct, horse! Battery staple!
>> 
>> is a better passphrase like, for example
>> 
>> Und allein dieser Mangel und nichts anderes führte zum Tod.
>> 
>> i.e. some phrasing which could be memorized better?
> 
> The second sentence is found by search engines (2 hits in
> DuckDuckGo). Don't use it or any other phrase that's has been
> published on the internet. A phrase of 4 random words has a high
> probability that it has not been published on the internet (or
> anywhere else). The tricky part is that you must never put your 
> 4-random-words phrase into a search engine to check this.
> 
> Instead of using a 4-random-words phrase you can use a proper
> sentence with equivalent entropy provided that you do not use a
> sentence that has been published anywhere. Come up with your own
> sentence. Ideally come up with a sentence that doesn't make any
> sense like "The horse was correct. You cannot staple batteries."
> This phrase might be easier to remember and has a similar entropy
> as the above mentioned 4-random-words phrase.
> 
> 

A favorite of mine, not usable then, and even less so now, is the
following:

At Night We Walk in Circles and Are Consumed by Fire

In Latin, that is a palindrome.

It is now the name of a musical composition, and has a group of its
own on Facebook.

https://www.wnyc.org/radio/#/ondemand/510001

- -- 
  .~.  Jean-David Beyer  Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jerseyhttp://linuxcounter.net
 ^^-^^ 10:35:01 up 1 day, 11:08, 2 users, load average: 4.16, 4.24, 4.19
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJWfrg0AAoJEBZthAoMYQyLcOMH/3q0mmnai7E49VontTna/2gf
yZD9FHbiVE7tQl2OZmjNa16AzVMwpTlJxpS82/n3/8ljVxWbyd0JzdStAyq4xONV
hdYN05SL6A43L8dobaO0IQLMB7ZdzJYawQW8wLfKQzevXMMXMiGg5BLMVdhNMqWo
TPOLu8GFPfDGqC1P6EzKplCremb2NsMvrxw1RpxQcNwIksz1S3XO+YZWAYegUmsC
fUCVH3qgTNrlaiG/FFGqBols0RJYS9EsWC/0EWSOZN0TCqzfoWbwPSse76HolV9Y
lkXklPCxaqwan09jtkGwwSye1sTTHjmHA6t1YtK8yRxNc5k/zQKiY3mvLtt23Nc=
=2AOW
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[malte]

Quoting Peter Lebbing (2015-12-26 09:53:38)
> On 26/12/15 01:39, ma...@wk3.org wrote:
> > do you have an estimate on the number of unique sentences published on
> > the Internet?
>
> What is your purpose by the way? Look for an estimated amount of entropy
> contained in picking one of those sentences?

Yes. To know if picking a random, but previously published sentence (no
matter the length) may ever be good enough. And then maybe going on to
see if two random, but previously published sentences might be good
enough (-:


Sincerely,

Malte

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Peter Lebbing]

On 26/12/15 01:39, ma...@wk3.org wrote:
> do you have an estimate on the number of unique sentences published on
> the Internet?

Hm how many of those would have been generated by a Markov chain
generator that a spammer used to generate some filler text in a spam
mail? I bet you've seen them, those texts that superficially look like
proper English sentences, but when you look closely, it's completely
non-sensical.

What is your purpose by the way? Look for an estimated amount of entropy
contained in picking one of those sentences?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Melvin Carvalho]

On 24 December 2015 at 17:02, Matthias Apitz  wrote:

>
> Hello,
>
> I do not fully understand why some 4 random words like
>
> Correct, horse! Battery staple!
>
> is a better passphrase like, for example
>
> Und allein dieser Mangel und nichts anderes führte zum Tod.
>
> i.e. some phrasing which could be memorized better?
>

Might help:

https://rya.nc/cracking_cryptocurrency_brainwallets.pdf

(See slide 35)


>
> matthias
> --
> Matthias Apitz, ✉ g...@unixarea.de,  http://www.unixarea.de/  ☎
> +49-176-38902045
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Peter Lebbing]

On 25/12/15 06:19, Ineiev wrote:
> I assume the amount of entropy is what really matters. for instance,
> if on every next step you are free to choose any of 4 random words
> taken from 6-word dictionary, you may put it in a grammatically
> correct form[*], then you must get a certain entropy per step.

Yes, however, this characterization seems mathematically incorrect.
Let's assume one in four words in the dictionary fits the grammar. I
hope this concurs broadly with what you assumed. Rather than pick four
random words of the full list, and then pick one of those, you pick one
out of a quarter of the wordlist size.

So that's 2 bits per word you're losing, a lot more than if you were
free to pick one of four random words. And there is a lot more structure
to the sentence given by Matthias than just its grammatical soundness.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[malte]

It's about the randomness/unpredictability/entropy of the passphrase.

There are less grammatically correct sentences with 4 words than there
are combinations of 4 words in total.

So, yes, you can take a sentence that makes sense, but then the whole
passphrase has to be longer. There is an estimate of 1.5 bit of entropy
per character in natural language. So if you want a passphrase with 60
bits of entropy, it would need to be 40 characters long. You could reach
the same strength with 10 random characters (alphanumeric with upper and
lower case).

In the end it depends what you can remember better and what you can type
faster.


Sincerely,

Malte

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Johan Wevers]

On 24-12-2015 17:02, Matthias Apitz wrote:

> I do not fully understand why some 4 random words like 
> 
>   Correct, horse! Battery staple!
> 
> is a better passphrase like, for example 
> 
>   Und allein dieser Mangel und nichts anderes führte zum Tod.

I do know that using accented characters might get you into trouble on
some keyboards. I remember working somewhere where German keyboards were
used but the driver for them was loaded after login. We had to tell the
people not to use a z or y in the password to limit the amount of "I
can't login" calls to the IT department.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Lachlan Gunn]

I'm a big fan of that list, and for some time I've been meaning to generate
a tweaked version that uses binary numbering, having recently needed to
generate a passphrase without a dice to hand. Using a coin and rejection
sampling isn't too hard, but it's rather annoying to have to throw away 20%
of digits.

Thanks,
Lachlan
Le 25 déc. 2015 17:16,  a écrit :

> If you want a simple random list, look at diceware:
>
> http://world.std.com/~reinhold/diceware.html
>
> Both the page and the diceware lists are available in many languages,
> including German
>
>
> vedaal
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Ingo Klöcker]

On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote:
> Hello,
> 
> I do not fully understand why some 4 random words like
> 
>   Correct, horse! Battery staple!
> 
> is a better passphrase like, for example
> 
>   Und allein dieser Mangel und nichts anderes führte zum Tod.
> 
> i.e. some phrasing which could be memorized better?

The second sentence is found by search engines (2 hits in DuckDuckGo). Don't 
use it or any other phrase that's has been published on the internet. A phrase 
of 4 random words has a high probability that it has not been published on the 
internet (or anywhere else). The tricky part is that you must never put your 
4-random-words phrase into a search engine to check this.

Instead of using a 4-random-words phrase you can use a proper sentence with 
equivalent entropy provided that you do not use a sentence that has been 
published anywhere. Come up with your own sentence. Ideally come up with a 
sentence that doesn't make any sense like "The horse was correct. You cannot 
staple batteries." This phrase might be easier to remember and has a similar 
entropy as the above mentioned 4-random-words phrase.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Ineiev]

On Fri, Dec 25, 2015 at 10:57:06AM +0100, Peter Lebbing wrote:
> On 25/12/15 06:19, Ineiev wrote:
> Let's assume one in four words in the dictionary fits the grammar. I
> hope this concurs broadly with what you assumed. Rather than pick four
> random words of the full list, and then pick one of those, you pick one
> out of a quarter of the wordlist size.

Agreed.

> So that's 2 bits per word you're losing, a lot more than if you were
> free to pick one of four random words.

6/4 is more than 13 bits; 2 bits is not a lot compared to 13,
but the result may be much easier to remember.

> And there is a lot more structure
> to the sentence given by Matthias than just its grammatical soundness.

I see; it's a different issue.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Matthias Apitz]

El día Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Klöcker escribió:

> > Und allein dieser Mangel und nichts anderes führte zum Tod.
> > 
> > i.e. some phrasing which could be memorized better?
> 
> The second sentence is found by search engines (2 hits in DuckDuckGo). Don't 
> use it or any other phrase that's has been published on the internet. A 
> phrase 
> of 4 random words has a high probability that it has not been published on 
> the 
> internet (or anywhere else). The tricky part is that you must never put your 
> 4-random-words phrase into a search engine to check this.
> 
> Instead of using a 4-random-words phrase you can use a proper sentence with 
> equivalent entropy provided that you do not use a sentence that has been 
> published anywhere. Come up with your own sentence. Ideally come up with a 
> sentence that doesn't make any sense like "The horse was correct. You cannot 
> staple batteries." This phrase might be easier to remember and has a similar 
> entropy as the above mentioned 4-random-words phrase.

Ofc, I would not have used this phrase, which is part of my signature :-)
This was only an example. I'd have used something from a book or
poem which was written before Internet-times and perhaps never published
afterwards.

Thanks for all hints in this thread.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de,  http://www.unixarea.de/  ☎ 
+49-176-38902045
«(über die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes 
führte zum Tod.
Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch 
keins verdient.»
«(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llevó 
a la muerte.
Y quien no está de luto, no tiene corazón, y quien no se lanza a luchar de 
nuevo, no se merece
corazón.», junge Welt del 3 de octubre 2015, p. 11

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[vedaal]

If you want a simple random list, look at diceware:

http://world.std.com/~reinhold/diceware.html

Both the page and the diceware lists are available in many languages,
including German
vedaal
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[gnupg]

Matthias Apitz wrote:

> El día Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Klöcker 
> escribió:
> 
> > >   Und allein dieser Mangel und nichts anderes führte zum Tod.
> > > 
> > > i.e. some phrasing which could be memorized better?
> > 
> > The second sentence is found by search engines (2 hits in DuckDuckGo). 
> > Don't 
> > use it or any other phrase that's has been published on the internet. A 
> > phrase 
> > of 4 random words has a high probability that it has not been published on 
> > the 
> > internet (or anywhere else). The tricky part is that you must never put 
> > your 
> > 4-random-words phrase into a search engine to check this.
> > 
> > Instead of using a 4-random-words phrase you can use a proper sentence with 
> > equivalent entropy provided that you do not use a sentence that has been 
> > published anywhere. Come up with your own sentence. Ideally come up with a 
> > sentence that doesn't make any sense like "The horse was correct. You 
> > cannot 
> > staple batteries." This phrase might be easier to remember and has a 
> > similar 
> > entropy as the above mentioned 4-random-words phrase.
> 
> Ofc, I would not have used this phrase, which is part of my signature :-)
> This was only an example. I'd have used something from a book or
> poem which was written before Internet-times and perhaps never published
> afterwards.

that's no good. if it's been published ever, then google has probably
obtained a copy and digitized it and re-published it at books.google.com.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[malte]

Hi,

do you have an estimate on the number of unique sentences published on
the Internet?


Sincerely,

Malte

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Ineiev]

Hello,

On Thu, Dec 24, 2015 at 05:50:47PM +0100, Peter Lebbing wrote:
>
> > Und allein dieser Mangel und nichts anderes führte zum Tod.
>
> This is grammatical. There is a subject (or two), a verb, an.. well
> whatever those things are like "zum Tod", I don't often discuss grammar
> in any other language than Dutch so I forgot the technical terms.
> Furthermore, the phrase actually makes sense semantically. I don't know
> if somebody ever said or wrote it; that would make it even worse, since
> a passphrase cracker could try sentences from a corpus of likely texts
> it has scoured from the internet.
>
> It has grammar, it has semantics, it has a proper meaning. All these
> things go at the expense of its entropy.

I assume the amount of entropy is what really matters. for instance,
if on every next step you are free to choose any of 4 random words
taken from 6-word dictionary, you may put it in a grammatically
correct form[*], then you must get a certain entropy per step.

* Depending on the language, there may be more than one correct form
(past, future, plural, first or second person, modified with
a preposition...), but this randomness is hard to ensure.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Peter Lebbing]

Hello,

>   Correct, horse! Battery staple!

My understanding is that these words in such a passphrase are chosen by
a random number generator in a computer. I use such a passphrase; I've
let my computer pick words out of a word list based on reading
/dev/random; or actually, I'm fairly sure I used GnuPG to generate the
randomness. I didn't let it generate four words; I let it generate a few
more until some combination of four words emerged that I could somehow
memorize. It is not a phrase, it is non-grammatical, it just has
something to it that makes it such that I can remember. The amount of
entropy each word contains is close to the amount of choice there is in
picking a word from the word list; i.e., base-2 log of the number of
words in the word list if you express it in bits.

>   Und allein dieser Mangel und nichts anderes führte zum Tod.

This is grammatical. There is a subject (or two), a verb, an.. well
whatever those things are like "zum Tod", I don't often discuss grammar
in any other language than Dutch so I forgot the technical terms.
Furthermore, the phrase actually makes sense semantically. I don't know
if somebody ever said or wrote it; that would make it even worse, since
a passphrase cracker could try sentences from a corpus of likely texts
it has scoured from the internet.

It has grammar, it has semantics, it has a proper meaning. All these
things go at the expense of its entropy. Whereas a few words that only
make enough sense to be memorizable have loads of entropy, as the
cartoon expresses. "Memorizability" is not easily quantified when you
write a password cracker. It's almost a Turing test in a way. What you
want to avoid is that there is a a pattern that a password cracker can
look for. Replacing an i with a 1 (one) is a horribly little amount of
extra entropy that serves more to make it difficult for you than that
one little extra try that a password cracker has to do matters.

> i.e. some phrasing which could be memorized better?

I don't think I can ever make myself forget Correct horse, battery
staple! :)

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Scott Lambdin]

My boss told me to pick an 8 word sentence and use the initials.  I chose
the my favorite line from my fan fiction:  "Put All Star Ships Where Only
Romulans Dwell"  and he fired me.

On Thu, Dec 24, 2015 at 11:02 AM, Matthias Apitz  wrote:

>
> Hello,
>
> I do not fully understand why some 4 random words like
>
> Correct, horse! Battery staple!
>
> is a better passphrase like, for example
>
> Und allein dieser Mangel und nichts anderes führte zum Tod.
>
> i.e. some phrasing which could be memorized better?
>
> matthias
> --
> Matthias Apitz, ✉ g...@unixarea.de,  http://www.unixarea.de/  ☎
> +49-176-38902045
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 

Eat like you give a damn.  Go vegan.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

[Matthias Apitz]

Hello,

I do not fully understand why some 4 random words like 

Correct, horse! Battery staple!

is a better passphrase like, for example 

Und allein dieser Mangel und nichts anderes führte zum Tod.

i.e. some phrasing which could be memorized better?

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de,  http://www.unixarea.de/  ☎ 
+49-176-38902045

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users