[PATCH] Add support for XKCD-style wordlist passwords
Kjetil Torgrim Homme
kjetil.homme at redpill-linpro.com
Tue Oct 30 20:01:11 CET 2018
Den 30. okt. 2018 12:10, skreiv Matthieu Weber:
> On Tue, 30 Oct 2018 at 10:33AM +0100, Kjetil Torgrim Homme wrote:
>> yes, but sometimes you need to enter this password by hand. I use horse
>> battery passwords when I might need to enter the password on a mobile
>> phone or on a console in a chilly data centre in the middle of the
>> night. both of these will often have problems with strange characters
>> or keyboard layouts (is "&" on Shift 6 or Shift 7? since there is often
>> no echo, there is no way to be sure!)
>
> So you want passwords that are easy to type: generate passwords that are
> made entirely of lowercase letters, all you need is 40% more characters
> to have the same entropy as a password made of alphanumerics+symbols
> i.e., 11 characters instead of 8. They will be easy enough to type even
> on exotic keyboards, and can be generated using only tools that pass
> uses already. All you need is to add to “pass generate” an option to
> reduce $CHARACTER_SET to [:lower:].
it is not easy to type wahseepienoofac on a mobile phone, IMHO. but
adding periods (not hyphens! the key moves around) will help - not for
entropy, but to make it easier to read and track how far I've gotten:
wah.see.pie.noo.fac
(I just realised I am lucky that I never have qwertz or azerty in my
environment... that would reduce the number of available letters to 21,
ertuiop/sdfghjkl/xcvbnm, by my count. digits, comma and period brings
the total to 33.)
>> average length of 13 characters. this doesn't really help entropy,
>> though. 489533 distinct words give 18.9 bits of entropy each, so the
>> above pass phrases (of four words) have 75 bits, or 5.74e+22. still not
>> a huge amount, but the attacker would have to know that this is the
>> method I use to make pass phrases to successfully reduce his search space.
>
> You can get 75 bits of entropy with 16 lowercase letters or 14
> mixed-case letters. That is surely easier to type than your example.
it really depends on your keyboard and brain :-)
--
Kjetil T. Homme
Redpill Linpro - Changing the game
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20181030/58072b5d/attachment.asc>
More information about the Password-Store
mailing list