[PATCH] Add support for XKCD-style wordlist passwords

Brad Knowles brad at shub-internet.org
Tue Oct 30 14:46:20 CET 2018 

On Oct 30, 2018, at 4:33 AM, Kjetil Torgrim Homme <kjetil.homme at redpill-linpro.com> wrote:

> Norwegian words are quite long...
> 
> $ aspell -d no dump master | grep -v "['A-Z]" | wc
> 489533  489533 6966844
> 
> average length of 13 characters.  this doesn't really help entropy,
> though.  489533 distinct words give 18.9 bits of entropy each, so the
> above pass phrases (of four words) have 75 bits, or 5.74e+22.  still not
> a huge amount, but the attacker would have to know that this is the
> method I use to make pass phrases to successfully reduce his search space.

One key aspect of diceware/xkcd-style pass-strings is that the words that compose the string are themselves easy to remember and easy to distinguish from each other.  That's why the dictionaries are relatively small -- 10,000 well-chosen words for your dictionary is much better than 489,000 words that comprise the entire dictionary but many of which are much lower quality words.

Going from 8k words to 16k words only increases your entropy per word by one bit (2^13 vs. 2^14), but it is likely to make many of the additional words harder to remember, harder to pronounce and type, and harder to distinguish.

For English-language words, this is why the EFF significantly improved the situation with their "long word list".  It still satisfies all the goals of a diceware/xkcd-type wordlist, but the words are longer (and significantly longer on average), while still being easy to remember, easy to type and pronounce, and easy to distinguish.


You compensate for low entropy per word by making pass-strings that are much longer.

How much longer you make them is up to you, but if you want a pass string with 128 bits of entropy, then you could create a pass-string that is ten words long (128/13 ~= 9.84615384615384615384).

At which point, yeah -- you might want to store those in a password manager.


But you always -- always -- always ... assume that the attacker knows the mechanism(s) by which your passwords/passphrases/pass-strings are generated and will attack them in the most efficient manner possible.


I do support -- and use -- diceware/xkcd-style passwords for certain functions, but I don't know that I'd make it a core functionality of this program.

-- 
Brad Knowles <brad at shub-internet.org>

Please forgive any typos.  I'm fighting a failing keyboard on my laptop, in addition to having a broken finger.

More information about the Password-Store mailing list