[PATCH] Add support for XKCD-style wordlist passwords

Kjetil Torgrim Homme kjetil.homme at redpill-linpro.com
Tue Oct 30 20:01:11 CET 2018


Den 30. okt. 2018 12:10, skreiv Matthieu Weber:
> On Tue, 30 Oct 2018 at 10:33AM +0100, Kjetil Torgrim Homme wrote:
>> yes, but sometimes you need to enter this password by hand.  I use horse
>> battery passwords when I might need to enter the password on a mobile
>> phone or on a console in a chilly data centre in the middle of the
>> night.  both of these will often have problems with strange characters
>> or keyboard layouts (is "&" on Shift 6 or Shift 7?  since there is often
>> no echo, there is no way to be sure!)
> 
> So you want passwords that are easy to type: generate passwords that are
> made entirely of lowercase letters, all you need is 40% more characters
> to have the same entropy as a password made of alphanumerics+symbols
> i.e., 11 characters instead of 8. They will be easy enough to type even
> on exotic keyboards, and can be generated using only tools that pass
> uses already. All you need is to add to “pass generate” an option to
> reduce $CHARACTER_SET to [:lower:].

it is not easy to type wahseepienoofac on a mobile phone, IMHO.  but
adding periods (not hyphens!  the key moves around) will help - not for
entropy, but to make it easier to read and track how far I've gotten:

  wah.see.pie.noo.fac

(I just realised I am lucky that I never have qwertz or azerty in my
environment...  that would reduce the number of available letters to 21,
ertuiop/sdfghjkl/xcvbnm, by my count.  digits, comma and period brings
the total to 33.)

>> average length of 13 characters.  this doesn't really help entropy,
>> though.  489533 distinct words give 18.9 bits of entropy each, so the
>> above pass phrases (of four words) have 75 bits, or 5.74e+22.  still not
>> a huge amount, but the attacker would have to know that this is the
>> method I use to make pass phrases to successfully reduce his search space.
> 
> You can get 75 bits of entropy with 16 lowercase letters or 14
> mixed-case letters. That is surely easier to type than your example.

it really depends on your keyboard and brain :-)

-- 
Kjetil T. Homme
Redpill Linpro - Changing the game

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20181030/58072b5d/attachment.asc>


More information about the Password-Store mailing list