In my previous entry about passwords, I didn’t say how hard it would be to crack my passwords. Beats me. I didn’t even say how many bits of entropy they represent, which is apparently what all the cool crypto cats do.
(The first number I cited, 3 × 1 million3, has 62 bits(!) of entropy. That’s a tough nut to crack. My least-secure option I said was from a pool of 425 million passwords. That’s only 29 bits, which is still about twice as secure as the passwords people suggest you use, things like Tr0ub4dor&3.)
The reason I didn’t cite bits of entropy is (first, that I don’t know math, but secondly) because I’m more interested in the size of the password pool. That is, if you knew the set of common words I’m using (you don’t, but you could start here), how many different separators I use, and the rules for combining them, there are that many possible outcomes.
My pool-size numbers are conservative, because a cracker doesn’t know (for sure) if I’m using only legal words, much less common ones. For all the would-be cracker knows, my dictionary could be full of gibberish like you get from pwgen(1):
iquifeer nosubiek iungeime eighaeka aqueejas oaxepohb aequahsa raingaej azeefeep johphaec fahtieda aihaimif aduyoowe airahbop iedeibae
I might even be using pwgen’s “hard” settings:
jjfidv7B 8ZbBAEMP 9zR5PBPn 8f45kjMB bWZiOF6j 3P7t4FLY Y1iZKeYA z8k0nv1T WD3yQcW8 nDyVSe5o k42muCy2 F7W43IFD u2pGNV8F fQ0CvvT7 k7awERR1
I wouldn’t do that, because those passwords would be hard for me to remember. But how does the cracker know that?