For what it's worth, here are my answers:
1. I use 1Password on the Mac, Windows, and IOS, which is currently all
the computers I use. The passwords it generates for me are currently 20
characters including upper and lower case, digits, punctuation, and
symbols. I never (well, hardly ever) have to enter one by hand, so I
don't mind using ambiguous characters (1, l, I, 0, O). They are not
limited to 20 characters, but that seemed enough to me. The only problem
is sites that put a low limit on the number of characters in a password
(!!!)
2. The character distribution in the 'sentence-based stunts' is probably
like the character distribution in English -- the etaoinshrdlu
distribution. Since some characters may be more or less likely as word
starters, the entropy might be even less than in English, so I don't
consider it random.
3. I've considered putting some unicode characters in my 1Password
master password, but I haven't checked to see that I can enter them in a
password field on all the platforms I use. I would expect that unicode
in a password field is represented as UTF8, so that making a single
character unicode would add only one, maybe two, bytes to the password,
rather than doubling the length. Making some of the characters ≥ 128
and < 256 would change the number of combinations that need to be
checked from 128^n to 256^n; i.e., it would multiply it by 2^n, but this
could also be done by adding a few more characters. Using UTF8 unicode
would also put in high bytes.
The XKCD method is not bad. The fact that the component parts are words
is not fatal. With the DICE method, you pick words at random from a
dictionary of about 7000 words. Brute force cracking a five-word
password requires 7000^5 tries, and then you can change the
capitalization, use a variety of symbols between the words, etc. to
increase the number. If someone tries to crack my 1Password vault, they
don't have a hashed password, so they need to feed each password to
1Password, which uses PBKDF to slow down the process. With current
hardware the time to crack my vault is over 100,000 years; I forget the
exact number. When hardware improves, I'll add another word to the
password.
For passwords I must remember (logon, Apple ID, dropbox) I use a program
written by a friend which produces 11-character pronounceable
pseudo-words. Dropbox has a shorter password so I can get to the
1Password vault it contains in the case of disaster.
—Barry
On 28 Jan 2015, at 21:25, Owen Densmore wrote:
So questions:
- How many of us are now using completely random pw's generated by one
of the pw managers?
- Is sentence based stunts close to "random"?
- Wouldn't unicode help here? 16 bit characters would definitely
bother the crackers, right?
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com