![]() Others want to remember the password, and others yet want it easy to type. Some people don't need to recall the passwords, as they are using password managers on all their devices, with a synced database, and can just copy/paste. But further, people remember things differently. Some service providers, like Google, will allow you any length with any complexity. When creating the generator, I realized that some sites will have length restrictions on your password, such as not allowing more than 12 characters, or not allowing certain special characters, or forcing at least one uppercase character and one digit, and so forth. The entropy toolbar of my password generator, with 70-bits as the default. Notice that the default selection is 70-bits. Thus, 60-bits is orange, 65-bits is yellow, and 70-bits and above are green. But things get exponentially expensive very quickly. As you can see from the screenshot of the entropy toolbar, 55-bits is red as we are in dangerous territory of an offline password cracker with maybe a cluster of GPUs finding the password. So, for simplicity sake, I started the entropy range at 55-bits, then incremented by 5 bits until the maximum of 80-bits. This seemed like a good place to start the range. This would also take that same GPU password cracking machine 94 weeks to fully exhaust every possibility. If the password chosen randomly from the same set of 94 graphical characters was 9 characters long, then the password would have about 59-bits of Shannon entropy. If chosen randomly, Shannon entropy places any password built from that set at about 52-bits. A single computer with a few modest GPUs can work through every 8-character password built from all 94 graphical characters on the ASCII keyboard hashed with SHA-1 in about a week. The question became, what should the range be, and what's my threat model? I decided to build my threat model after offline brute force password cracking. So, I built a password generator around entropy, and entropy only. Again, this is only true if the random function is uniform and unbiased. So, when I say a Diceware passphrase as approximately 64-bits of entropy, I'm saying that the passphrase that was generated is 1 in 2^64 or 18,446,744,073,709,551,616 possibilities. Shannon entropy is just a fancy way for estimating the total number of possibilities something could be, and it's measured in bits. Entropy is maximized when a uniform unbiased random function controls the output. If you've been a subscriber to my blog, you'll know that I post a lot about Shannon entropy. So I wanted to create a password and passphrase generator that met everyone's needs: Of course, this is a point of discussion about password managers, but I'll save that for another post. However, when you start talking about some of these generators, and they see passwords like "(5C10#+b" or "V#4I5'4c", their response is usually "I'm never going to remember that!". ![]() Usually, the lengths of each password is somewhere around 6-7 characters. Spouse's first name with number followed by special character.I've talked with my wife, family, and friends about what it requires to have a strong password, and I've asked them to give me examples. But worse, they give the person using them a false sense of security, and in most cases, they're not secure at all. ![]() While these password generators are all unique, and interesting, and maybe even secure, it boils down to the fact that my wife, never mind my mom or grandma, isn't going to use them. That would provide about 64-bits of entropy, a modestly secure result.Ī five-word Diceware passphrase could be: Arnold recommends throwing the dice enough times to create a five-word Diceware passphrase. Arnold explains that the passphrase needs to be chosen from a true random number generator (thus the dice) and as a result each word in the list will have approximately 12.9-bits of entropy. Arnold Reinhold created a list of 7,776 words, enough for every combination of a 6-sided die rolled 5 times. What bothers me about the "XKCD password" crowd, however, is that no one knows that Diceware was realized back in 1995, making passphrases commonplace. Why not add all the complexity of password generation to XKCD passwords?
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |