Re: Q: password generation

Maaartin schrieb:
The point of using a dictionary is passwords, which are both easy to
remember and easy to type. One more word is probably much better as
Ilmari pointed out. Adding two words (from a 3300 words dictionary)
gives you more than 20 bits. If you insist on not increasing the number
of words, you can use a larger dictionary.

I do not insist, I just think that escaping somehow from any pattern
makes it stronger.

But this is not how security works. Your system should assume that the
attacker knows your method completely including all possible patterns.
They just need to find out, which of the patterns and words you used at
which positions.

Here is the reason: Firstly and most importantly this makes the math
much simpler (x^y), hence it makes reasoning about your security easier
by the same factor. Particularly it eliminates assumptions and special

Of course your extensions contribute some security, but the expense is
higher complexity and less convenience. This is likely not what you
wanted when deciding to use dictionary-based passwords in the first place.

Using a larger dictionary hardly helps as YOU demostrated. According
there are 475,000 words in the probably largest dictionary, which
gives me only 3.8 bit more per word
and weights 6 kg and $47.50.

A 3300 words dictionary is quite small. Modern dictionaries contain far
more words. For example the German Duden contains more than 150000
definitions. You can also find large word lists online.

Moving from a 3300 words dictionary to a 6600 words dictionary certainly
doesn't add much, but you would be moving to 475000 words, which would
add 7.17 bits (not 3.8 bits) per word, without making the passwords any
harder to remember. However, it bears the risk of getting longer words,
so adding a few more short words from the 3300-dictionary would probably
be better, and this is still what I'm recommending. Also beware that
real dictionaries are redundant to some extent, so the actual number of
terms may be less than the number of definitions.

If you want high entropy with short easy-to-type passwords, don't use a
dictionary-based approach, but rather a pronounceable password
generator. Those passwords are not as easy to remember, although the
pronounceability helps a lot.

Seriously: Your method adds very little, because there aren't many such
regular patterns.

It depends what regular means. For somebody the following may be
xxxXX xxXxX xxXXx xXxxX xxXXx
In fact, there's simple rule for it, do you see it?
Even here, there's a similar simple rule:
xxxXX xXxxX XXxXX XxxxX XxxXX

You could add up to 5 bits per word using such capitalization rules,
assuming that the attacker doesn't know what "regular" means for you,
i.e. the attacker needs to assume random patterns. This is for
five-letter passwords. Using a 3300 * 2^5 = 105600 words dictionary has
the same effect without that assumption.

However, using the original 3300 words dictionary and seven random
words, do you really need such strengthening methods?


Relevant Pages

  • Re: Arabic -- qawsitaliyya?
    ... and there may even be some dictionaries ... > more optional letters then L then Y, while ignoring short vowels". ... various patterns that people will encounter(They just take too long to ... out a root from an unusual word. ...
  • Re: Using dictionary to hold regex patterns?
    ... of key-value pairs: ... I thought that lists could only use integer ... while text indexes had to use dictionaries. ...
  • Re: [fw-wiz] Radius access from provider to internal MS ISA Server
    ... you should assume compromised credentials at ... > Dictionaries are only too good if you use them to find your passwords. ... we get a single-CPU software ...
  • Re: Two Lying Presidents......
    ... Trade in and of itself ... regular the commerce between States and other nations. ... context of solving the problem of various tariffs. ... >>>Maybe I've been using dictionaries wrong ...
  • Re: "Install a license"
    ... using a sequence of two or three words ... For reasonably-sized dictionaries, ... than passwords the user would choose. ... of random data and apply base64, then store the result in a file in my ...