[PATCH] stop using pwgen
Antoine Beaupré
anarcat at debian.org
Sun Dec 18 00:22:49 CET 2016
On 2016-12-17 17:43:12, Brian Candler wrote:
> On 17/12/2016 22:02, Antoine Beaupré wrote:
>> a 18 bytes password contains (naturally) 144 bits of entropy and
>> base64 turns that in a 25 character password
> base64 turns each group of 3 bytes into 4 characters, so 18 bytes => 24
> characters
ah. yes. i was counting the last = sign, sorry.
>> base64 passwords are more portable and incur only a ~13% size increase
>> compared to original byte stream.
>
> 4/3 = 33% increase
oops. yes, that is more accurate.
> But anyway, I'm happy with the proposed approach for default password
> generator. Undoubtedly there will be people who want something else, so
> it would be good if it could be pluggable.
yes, maybe that is what i should have worked on instead. :)
> (Aside: I don't actually see any need for entropy > 96 bits: brute
> forcing 2^95 combinations, at a trillion attempts per second, would take
> 1.25 billion years. But I suppose burning a bit more entropy and storage
> does little harm)
well, i was just trying to avoid changing the default (and it looks like
i failed at that too :).
that said, having long password *does* a little harm: it won't work, by
default, in certain sites that have obtuse password policies (e.g. "max
16 characters, which is around, coincidentally, 96 bits of entropy in my
proposed algorithm).
in very old and ackward /dev/random implementations, it could also
deplete the entropy pool, but if you are running such a platform, you
will likely have other problems to worry about.
A.
--
When I came back to the United States, I decided that if you could use
propaganda for war, you could certainly use it for peace. And
"propaganda" got to be a bad word because of the Germans using it, so
what I did was to try and find some other words so we found the words
"public relations". - Edward Bernays
More information about the Password-Store
mailing list