[Cryptography] generated passphrases

Kent Borg kentborg at borg.org
Tue Aug 13 16:19:07 EDT 2019

On 8/12/19 6:53 PM, jamesd at echeque.com wrote:
> There are plenty of random phrase generators around, but I have not 
> found their algorithms and their word databases.
> I hope someone could direct me to some open source for random phrase 
> generation

I have a simple largely homebrew solution using mnencode. I downloaded 
my copy a long time ago, but I think it is the same as 

It is a program that converts data to words (and the companion mndecode 
converts back). It is like base64 but more pronounceable output. And 
because it is a two-way thing--nothing added nothing lost--whatever 
entropy you feed in is in the output.

I use it to generate passwords by (roughly*) feeding a few bytes from 
Linux's /dev/urandom into it. Presto: turn high quality random bits into 
something memorable.

$ head -c 4 /dev/random | mnencode
$ head -c 4 /dev/random | mnencode
$ head -c 4 /dev/random | mnencode
$ head -c 4 /dev/random | mnencode

Those are high quality passwords with 32-bits of real entropy each.

      * Actually, I use it in combination with a Python program I wrote
    to generate somewhat more complicated passwords. For example
    sometimes systems will silently truncate passwords at, say,
    8-characters. So that last one might actually end up being
    "costume-", which isn't so good. So I recommend prepending some hex
    digits. If some stupid system truncates "7csaturn-accent-vatican" at
    8-characters it will still be "7csaturn" which isn't a horrible

> pass phrases for crypto currency accounts require about a 128 bits of 
> entropy

The difference between a login password and an encryption passphrase is 
gigantic and mostly ignored. I am so glad to see people underlining this 

Encryption passphrases are /really/ hard to reliably remember (and quite 
hard to blindly type accurately without a keyboard echo).

In the examples above it is easy to "curve fit" an idea through three 
words, and use it to help remember the password. But when it gets longer 
the "curve" gets bumpy and arbitrary. The following is 128-bits of 
entropy, and a monster to remember and type:


And get wrong a word form ("visit" vs "visitor") or confuse your Brit 
sports ("rugby" vs "cricket") and you are locked out.

> Trouble is random words are hard to remember and type. Grammatically 
> correct nonsense passphrases are easier to remember and type.

But in a real sentence it is even easier to mess up a plural or tense or 
preposition. (Or was it: "But in real sentences it's even easier to mess 
up plurals or tense or a preposition.")

Passphrases are hard. That's the key reason I think ssh keys are almost 
always a bad idea: the key file isn't going to be protected with a 
decent passphrase because decent passphrases are really hard. Whereas an 
ssh password like "3d97critic-develop-winter" has over 47-bits of 
entropy; if the sshd has any rate limiting it will take years of 
continuous hammering to have a 50-50 chance of getting in.

The fact that an ssh key will survive even more years of the same 
hammering doesn't see so valuable if:

a) The computer it is protecting doesn't have that long a lifetime.

b) The at-rest key file, were it to be acquired by the Bad Guys, can be 
attacked at arbitrary speeds and might succumb far sooner.

If you had an important passphrase that you needed to type from memory 
what would I recommend?

- It's okay to have internal structure to the passphrase to make it 
easier to deal with: some numbers here, some words there, some 
punctuation or capitalization mixed in. But don't tell anyone what that 
structure is, keep it secret--which means don't use it anywhere else.

- Make the passphrase long. Even if the components are all low entropy 
(dictionary words) the whole thing being longer and in a unknown format 
makes cracking much harder.

- Put significant real entropy in it. (That is, choices you did /not/ 
make but were made by some high quality RNG.)

If the passphrase length implies 150-bits of entropy (about 23 printable 
ASCII characters), with a format unknown to your attacker, and has, say, 
70-bits of real entropy in it...I think that's pretty dang good. At over 
twenty characters it can't be raw brute forced, someone needs to guess 
the internal format and then brute force within that constraint. If they 
don't know the structure of the passphrase they need to not only brute 
force 70-bits of entropy, they need to brute force all the different 
ways you might have formatted those 70-something bits of entropy. That 
sounds hard. How juicy a target /are/ you?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20190813/94c340db/attachment.htm>

More information about the cryptography mailing list