> Your “trillion guesses per second” is an arbitrary number. You are
deluding yourself you think that any serious attacker will be so limited.
What is the actual number, then?
> Of course, Bitcoin miners are highly specialized and can not be used for
password cracking.
I would like to suggest suggest sticking to facts and evidence pertaining to
password cracking. Bitcoin may be based in cryptography, but that doesn't
necessarily mean you can apply rules to Bitcoin 1:1 onto passwords.
> Conclusion: In 2017, your suggested scheme is more broken than DES in 1998.
I didn't see the source of this conclusion in the paragraphs that preceded
it. It seems to me you were just claiming that computer power grows by a
certain amount in 19 years (why 19 years? Why not 10, or 50?) to an extent
greater than the figure Magic Banana supplied.
But what your conclusion here states suggests that the scheme itself is
fundamentally broken. If that is the case, then why is it not possible to
simply increase the number of words to achieve an acceptable strength, thus
increasing the number of possibilities even further?
Or alternatively, if the scheme is fine given a sufficient number of words,
why don't you simply provide a calculation for what that number of words
actually is? I think this would be much more constructive than just saying
multiple times that what was provided doesn't work. At the same time, it
would be worth comparing that to a string of characters (which is what you
appear to be advocating), particularly looking at how long the string of
characters needs to be to match the string of words. That way, we could
compare the relative lengths and strengths of both methods directly.
> Your original point was about bugs. The man page talks about cryptographic
attacks.
This seems like a bit of a semantic argument, no? I took what Magic Banana
wrote to mean that /dev/random is safer than /dev/urandom, which you seem to
implicitly admit here, and therefore /dev/random ought to be used.
Considering the only trade-off is having to wait a little longer, I can't see
I can think of any fundamental flaw in this reasoning.
How about this: what is the reason you recommend /dev/urandom when
/dev/random would (as you freely admit) be safer? You could argue forever
about how much safer it is, but why take the chance?