More on Passwords

In my previous entry about passwords, I didn’t say how hard it would be to crack my passwords. Beats me. I didn’t even say how many bits of entropy they represent, which is apparently what all the cool crypto cats do.

(The first number I cited, 3 × 1 million3, has 62 bits(!) of entropy. That’s a tough nut to crack. My least-secure option I said was from a pool of 425 million passwords. That’s only 29 bits, which is still about twice as secure as the passwords people suggest you use, things like Tr0ub4dor&3.)

The reason I didn’t cite bits of entropy is (first, that I don’t know math, but secondly) because I’m more interested in the size of the password pool. That is, if you knew the set of common words I’m using (you don’t, but you could start here), how many different separators I use, and the rules for combining them, there are that many possible outcomes.

My pool-size numbers are conservative, because a cracker doesn’t know (for sure) if I’m using only legal words, much less common ones. For all the would-be cracker knows, my dictionary could be full of gibberish like you get from pwgen(1):

iquifeer  nosubiek  iungeime
eighaeka  aqueejas  oaxepohb
aequahsa  raingaej  azeefeep
johphaec  fahtieda  aihaimif
aduyoowe  airahbop  iedeibae

I might even be using pwgen’s “hard” settings:

jjfidv7B  8ZbBAEMP  9zR5PBPn
8f45kjMB  bWZiOF6j  3P7t4FLY
Y1iZKeYA  z8k0nv1T  WD3yQcW8
nDyVSe5o  k42muCy2  F7W43IFD
u2pGNV8F  fQ0CvvT7  k7awERR1

I wouldn’t do that, because those passwords would be hard for me to remember. But how does the cracker know that?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.