On Tue, 17 Jun 2014 22:00:49 -0400 Jerry Stuckle <jstuc...@attglobal.net> wrote:
> On 6/17/2014 7:41 PM, Celejar wrote: > > On Sat, 14 Jun 2014 22:32:16 -0400 > > Jerry Stuckle <jstuc...@attglobal.net> wrote: > > > >> On 6/14/2014 2:06 PM, Patrick Chkoreff wrote: > > > > ... > > > >>> Here's a way to generate a *truly* random password that is *also* > >>> memorable: > >>> > >>> http://diceware.com > >>> > >>> Instead of using your computer to generate allegedly random bits, you > >>> use five six-sided dice to generate truly random bits. > >>> > >>> > >>> -- Patrick > >>> > >>> > >> > >> Not good at all. With 5 dice, you have 6^5 or 7,776 possible > >> combinations. Just figuring 5 upper and lower case characters and > >> numbers, you have 62^5 or 916,132,832 (more if you add special > >> characters). Even a 3 alphanumeric (upper and lower) case character > >> password has 238,328 possible combinations. > >> > >> I wouldn't even consider this a weak password. It's much worse than > >> that. The fact you can have combinations of words doesn't add that much > >> security, especially if someone thinks you're using the diceware list. > > > > I think there's a miscommunication here; the diceware instructions are > > to use five dice *per word*, and recommend either five or six words as > > a minimum: > > > > http://world.std.com/~reinhold/diceware.html > > http://world.std.com/~reinhold/dicewarefaq.html#howlong > > > > Celejar > > > > > > Yes, I understand. But a roll of five dice is less secure than a three > character alphanumeric (upper and lower case) password (7,776 vs. > 238,328 combinations). A 6 word password would have approximately the > same security as a 13 character alphanumeric password. Understood. I think the point of diceware, though, is that it generates passphrases with at least a fair bit of entropy and that are still relatively easy to remember, as per the celebrated xkcd: http://xkcd.com/936/ Of course, your *genuinely* random 13 character password will be just as good, but likely harder to remember. > But then you have to type 30-40 characters or so to enter the diceware > password; very few (if any) sites will accept a password that long. The > longest I know of is around 20 characters (my bank). > > That severely limits the number of combinations you can get with dice. True. I think they're mainly useful for local system passphrases, such as GPG and LUKS keys. > Jerry Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140618095803.51cada768ef015ac0ee53...@gmail.com