Re: Q: password generation



***TO Ertugrul Söylemez:
You should quote properly mentioning the original poster.  Many
newsreaders have a threaded view, where you could be mistaken to quote
me instead of Andrew.  In such cases it's best to just write two
separate messages starting two subthreads.

Ok, but I'm reading it online and see it very differently.
I'm used to repeat only the necessary part of the previous message
'cause I hate to be forced to read all the stuff I already have read.
I also prefer to reply to all at once, since otherwise I'd make four
times as much postings.
But next time I'll do it your way (at least I'll try).

The point of using a dictionary is passwords, which are both easy to
remember and easy to type.  One more word is probably much better as
Ilmari pointed out.  Adding two words (from a 3300 words dictionary)
gives you more than 20 bits.  If you insist on not increasing the number
of words, you can use a larger dictionary.

I do not insist, I just think that escaping somehow from any pattern
makes it stronger.
Using a larger dictionary hardly helps as YOU demostrated. According
to
http://en.wikipedia.org/wiki/English_language#Number_of_words_in_English
there are 475,000 words in the probably largest dictionary, which
gives me only 3.8 bit more per word
and weights 6 kg and $47.50.


***TO Ilmari Karonen:
More importantly, it would be much harder to *remember* which letters
you need to capitalize than to remember one or two additional words.

Or which of these passphrases (generated using a slightly smaller
dictionary of only 2354 words) would _you_ find easier to memorize:

 a) "ramp true boat deem land card buoy" (7*11.2 = 78.4 bits), or
 b) "iaMb Laid ZETA DiCK hOBO" (5*11.2 + 20 = 76 bits)?

Try it -- type both a few times, for practice, then go away for five
minutes and see if you can retype them exactly without looking.

You're right... that's why I need a simple rule used for ALL my
passwords.
My password looks like none of the above, let's say I start with

ramptrueboatdeemland

having (according to you) 5*11.2 bits = 56 bits, apply my rule 1
1. Capitalize the letters at positions 2, 3, 5, and 7.
and get (using position numbering starting at 0)

raMPtRuEboatdeemland

apply the rule
2. Increment (Caesar-like) each letter following the first and second
vowel.
and get (the wovels are "a" and "u")

raNPtRuFboatdeemland

apply the rule
3. Capitalize all letters between the last two characters belonging to
the set {"z", "x", "c", ..., "m"}
and get again (the two characters are the "e" and the immediatelly
preceding "e", so this is a no-op)

raNPtRuFboatdeemland

apply the rule
4. Replace "q"->"1", "w"->"2", ..., "o"->"9", "p"->"0", but only
twice, starting from position 10.
and get

raNPtRuFboa5d3emland

I see it's a bit complicated, but I claim:
1. The rules are easy to remember and not hard to use (once you've got
used to them).
2. There's no way to find out the rules given only few passwords.
3. Even if you know some rules, applying them makes you risk to miss
the password.

***TO rossum:
I sometimes use a system of regular capitalisation across the phrase,
for example:

  tramP kilLs stOat aFter Seven

  xxxxX xxxXx xxXxx xXxxx Xxxxx

That makes it easier to remember where the capital letters go, though
it does reduce the entropy somewhat compared to random capitalisation.

***TO Ertugrul Söylemez:
For somebody knowing your rule, the entropy is zero.
For somebody not knowing it, the entropy is 1 bit per letter.
The rule is simple, but easy to find out given a single other
password.

After having told us that, the entropy added is zero. ;)

Right. I understand the added entropy here as the amount of missing
information,
so if I tell you my favorite password
p^&iyg/*-Y))~hJ87UVjhvjh,m:\}{uit/|
than it's entropy is zero for you.

Seriously:  Your method adds very little, because there aren't many such
regular patterns.

It depends what regular means. For somebody the following may be
regular:
xxxXX xxXxX xxXXx xXxxX xxXXx
In fact, there's simple rule for it, do you see it?
Even here, there's a similar simple rule:
xxxXX xXxxX XXxXX XxxxX XxxXX

***TO rossum:
I sometimes use a system of regular capitalisation across the phrase,
Seriously:  Your method adds very little, because there aren't many such
regular patterns.
Agreed.  I have sixteen patterns, eight patterns and the equivalent
eight antipatterns, so they add just four bits.

They do now. After you have told us.

And you believed me? :)
At least I'll consider it when breaking your passwords. =)

***TO Ertugrul Söylemez:
And you believed me? :)
At least I'll consider it when breaking your passwords. =)

That's why I gave you so many fake ideas. :D:D
.