For actual encryption (disk encryption, WiFi) I make sure there's at least 128 bits, and I often find it easier to use the full ASCII there. For things that are only online brute-forceable or susceptible to hacking anyway I'm okay with 4 words out of a 6709 word dict (50 bits).
2
I remember from a security grad course to use four random word phrases. I think it was something about the entropy between # of characters and # of words. I thought that was pretty interesting. I previously thought random chars were a lot better.
1
1
It's all in the number of combinations. If you're drawing from a 20,000 word dictionary, that's 20,000^5. If you're selecting 12 letters from 95 printable characters, that's 95^12. You can adjust the number of words, and the size of the word list, to produce any equivalent combo
2
1
Yeah, however, an Oxford English dictionary has 170,000 words, so that would be 170,000^5. So bigger than 95^12.
1
2
Some very long words in the OED & I don't know about you but I have trouble spelling some of them reliably
1
2
Wouldn鈥檛 (in theory) choosing simple words be as effective as complicated ones? I know it would suck in practice, cause most attackers would use brute force attacks with chars and not words 馃槄
1
As long as you're choosing from a sufficiently high number of words, and truly choosing randomly - what the words are doesn't matter.
1
That passgen wordlist is 7236 words. Six words from that wordlist would be a sufficient possible number of combinations to resist a lot of hardware trying to attack a very fast hash (like MD5), and would be equivalent to a 12-char random-char password. wolframalpha.com/input/?i=72鈥
1
(And such a passphrase wouldn't be feasible to attack at the individual character level - it would be much too long. But even if the attacker has perfect knowledge - by combining the words the same way you did, and knowing the exact wordlist - the sheer numbers would win.)
1
馃ぃ馃ぃ馃ぃ馃ぃ馃ぃ

Dec 9, 2021 路 4:53 AM UTC

GIF