BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] deadmanish login?
- Subject: [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- Date: Thu, 2 Feb 2017 17:15:14 -0500
- In-reply-to: <837eb7de-a956-c4bb-63f4-e1bcfa0e3861@gmail.com>
- References: <iydoKFG1q6EvZNl6T2sztfNEyMK3eE7jp_2ZXrcPTgVFK1IPE5deLwZcViB_xDQMcb16enHDIBp9gek18AIxu5VrLtdgSHK6qEOO91dh2nA=@protonmail.com> <20170131014651.GA21915@newtao.randomstring.org> <1cca093a-2f5b-c105-0288-5f435c11104e@borg.org> <e94de5ff-7644-d501-ccb4-fd4a6b32ff7a@napc.com> <565bdd82-c70e-3e64-6786-63f9b8de12da@borg.org> <e480dec0-22f0-99be-dbc0-fa3f75ddd1fe@gmail.com> <a47bda52-ca1f-15ab-2f57-3ab5d1519a48@borg.org> <ecfa4f25-9416-ddcc-d92f-7979136fdf96@borg.org> <837eb7de-a956-c4bb-63f4-e1bcfa0e3861@gmail.com>
On 02/02/2017 04:38 PM, Richard Pieri wrote: > On 2/2/2017 2:51 PM, Kent Borg wrote: >> Does have 40-bits of entropy, that is. > Not really: > https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html > A rather terse posting, there. You seem to be saying "Schneier agrees with me, go read this.". And I have read that. I presume you are referring to: "This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick." It depends on where those words came from. I am not relying on some trick, I am relying on raw combinations. For example, let's just take 16-bits: from /dev/urandom: d85e Uh, oh! Did I somehow reduce the number of possible combinations because I represented it in hex? Would I somehow reduce the number of possible combinations of I wrote it as "dee-eight-five-ee"? No. In my case I am using a simple program called mnencode that was specifically designed for making binary data pronounceable. I can run 32-bits into mnencode and get "trade-medical-episode" and I can run "trade-medical-episode" through mndecode and get back the original 32-bits. It didn't change anything, it is just a coding. I could tell you what those original 32-bits were--but they are binary, to put them in an e-mail I would need to code them some other way. Would "d7c1 271f" be okay, or does that somehow remove entropy? Octal: 153701 023437 okay? mnencode: trade-medical-episode? Oh, no, you don't like that one. It's just another coding. But it is easy to remember and easy to type on an ASCII keyboard. If someone wants to brute force it someone is going to have to run 2^32 combinations to try them all. How do I get 40-bits in my examples? To make it extra good I prepend two-hex digits: f1-sultan-joker-editor. (Also because some stupid systems will silently truncate passwords, it packs a little more entropy at the beginning.) -kb
- Follow-Ups:
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: sillystring at protonmail.com (Eric Chadbourne)
- [Discuss] deadmanish login?
- References:
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- Prev by Date: [Discuss] deadmanish login?
- Next by Date: [Discuss] deadmanish login?
- Previous by thread: [Discuss] deadmanish login?
- Next by thread: [Discuss] deadmanish login?
- Index(es):