| But there's a reason for hiding password input: [ed: making shoulder surfing a little harder]. Or unlocking a computer that's projecting to an audience. [ed: see also citizenfour where Snowden uses a blanket when typing in a pass phrase]. This is indeed not about password "theory", because experience shows that actual system (in)security happens where computer systems and users interact. Using a common subset of keyboard layouts for different languages (limiting the character set), being workable on touch screens, are important for security. And using passwords at all is working around "bad platforms". > The 11 bits of entropy refer to a dictionary of 2K words to choose from. The reason to type full ones is you're not hamstrung by the "no common prefix" limitation, which allows larger (and easier to remember) dictionaries. From playing with this, I'm not convinced the tradeoff of using a big dictionary whose that cannot be enumerated by a short unique prefix (to reduce length) really adds that much - just like increasing the character set beyond 26/36 helps all that much - because you only gain a bit for every doubling in size. My idea is for the mnemonic to form an actual "story" (in a secure way) - in the hope that it's easier to remember :
"boy flies angrily away" than "correct horse battery stapple". A) that may be wrong B) You still need too many words in order to encode a "high enough" entropy |