[Cryptography] generated passphrases
Kent Borg
kentborg at borg.org
Tue Aug 13 16:19:07 EDT 2019
On 8/12/19 6:53 PM, jamesd at echeque.com wrote:
> There are plenty of random phrase generators around, but I have not
> found their algorithms and their word databases.
>
> I hope someone could direct me to some open source for random phrase
> generation
I have a simple largely homebrew solution using mnencode. I downloaded
my copy a long time ago, but I think it is the same as
https://github.com/singpolyma/mnemonicode
It is a program that converts data to words (and the companion mndecode
converts back). It is like base64 but more pronounceable output. And
because it is a two-way thing--nothing added nothing lost--whatever
entropy you feed in is in the output.
I use it to generate passwords by (roughly*) feeding a few bytes from
Linux's /dev/urandom into it. Presto: turn high quality random bits into
something memorable.
$ head -c 4 /dev/random | mnencode
Wordlist ver 0.7 - EXPECT INCOMPATIBLE CHANGES
artist-equal-cricket
$ head -c 4 /dev/random | mnencode
Wordlist ver 0.7 - EXPECT INCOMPATIBLE CHANGES
eric-panic-visitor
$ head -c 4 /dev/random | mnencode
Wordlist ver 0.7 - EXPECT INCOMPATIBLE CHANGES
orient-empire-final
$ head -c 4 /dev/random | mnencode
Wordlist ver 0.7 - EXPECT INCOMPATIBLE CHANGES
costume-harvard-charlie
Those are high quality passwords with 32-bits of real entropy each.
* Actually, I use it in combination with a Python program I wrote
to generate somewhat more complicated passwords. For example
sometimes systems will silently truncate passwords at, say,
8-characters. So that last one might actually end up being
"costume-", which isn't so good. So I recommend prepending some hex
digits. If some stupid system truncates "7csaturn-accent-vatican" at
8-characters it will still be "7csaturn" which isn't a horrible
password.
> pass phrases for crypto currency accounts require about a 128 bits of
> entropy
The difference between a login password and an encryption passphrase is
gigantic and mostly ignored. I am so glad to see people underlining this
point.
Encryption passphrases are /really/ hard to reliably remember (and quite
hard to blindly type accurately without a keyboard echo).
In the examples above it is easy to "curve fit" an idea through three
words, and use it to help remember the password. But when it gets longer
the "curve" gets bumpy and arbitrary. The following is 128-bits of
entropy, and a monster to remember and type:
artist-equal-cricket-eric-panic-visitor-orient-empire-final-costume-harvard-charlie
And get wrong a word form ("visit" vs "visitor") or confuse your Brit
sports ("rugby" vs "cricket") and you are locked out.
> Trouble is random words are hard to remember and type. Grammatically
> correct nonsense passphrases are easier to remember and type.
But in a real sentence it is even easier to mess up a plural or tense or
preposition. (Or was it: "But in real sentences it's even easier to mess
up plurals or tense or a preposition.")
Passphrases are hard. That's the key reason I think ssh keys are almost
always a bad idea: the key file isn't going to be protected with a
decent passphrase because decent passphrases are really hard. Whereas an
ssh password like "3d97critic-develop-winter" has over 47-bits of
entropy; if the sshd has any rate limiting it will take years of
continuous hammering to have a 50-50 chance of getting in.
The fact that an ssh key will survive even more years of the same
hammering doesn't see so valuable if:
a) The computer it is protecting doesn't have that long a lifetime.
b) The at-rest key file, were it to be acquired by the Bad Guys, can be
attacked at arbitrary speeds and might succumb far sooner.
If you had an important passphrase that you needed to type from memory
what would I recommend?
- It's okay to have internal structure to the passphrase to make it
easier to deal with: some numbers here, some words there, some
punctuation or capitalization mixed in. But don't tell anyone what that
structure is, keep it secret--which means don't use it anywhere else.
- Make the passphrase long. Even if the components are all low entropy
(dictionary words) the whole thing being longer and in a unknown format
makes cracking much harder.
- Put significant real entropy in it. (That is, choices you did /not/
make but were made by some high quality RNG.)
If the passphrase length implies 150-bits of entropy (about 23 printable
ASCII characters), with a format unknown to your attacker, and has, say,
70-bits of real entropy in it...I think that's pretty dang good. At over
twenty characters it can't be raw brute forced, someone needs to guess
the internal format and then brute force within that constraint. If they
don't know the structure of the passphrase they need to not only brute
force 70-bits of entropy, they need to brute force all the different
ways you might have formatted those 70-something bits of entropy. That
sounds hard. How juicy a target /are/ you?
-kb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20190813/94c340db/attachment.htm>
More information about the cryptography
mailing list