|
|
|
|
|
|
by dannysu
3495 days ago
|
|
|
What we should really talk about is the password entropy like what you've done. If you take the xkcdpass package from Ubuntu, it uses a word list of 41230 words by default [1]. That's 41230^4 and about 61-bit of password entropy. If you want to use a smaller word list, add words to the passphrase until you reach a desirable password entropy. Using your example of 80^7 for random characters, that's only 44-bit password entropy. So in this case, xkcdpass gives you a stronger password with just 4 words. If you want to reduce the word list to 3000, just add 1 more word and it's 46-bit password entropy. A decision between 7 random characters vs 5 words. I personally prefer random characters because you can up the entropy significantly, and I have no problem remembering random sequence in the mid-teens range. That can easily get you 90-bit entropy or more. Everything else is saved in my password manager and there you can up the entropy even more. My auto-generated passwords are usually around 200-bit entropy. [1]: https://github.com/redacted/XKCD-password-generator
|
|
|
Isn't it far easier to up the entropy of a passphrase, though? Unless your password is using the entire Unicode character set, adding a word to a passphrase is going to give you better entropy than adding a character to a password, and it will probably be easier to remember since you can - reasonably safely - give it contextual meaning.