Hacker News new | ask | show | jobs
by leavenotracks 1541 days ago
Individual words then are easily crackable.

But, take 3 long dictionary words chained together...easier to remember and more secure than a shorter randomly generated string.

E.g. postcriptaluminumengagement vs kug45l2wx

Or are there also dictionaries that contain combos of words?! (Would be rather a large dictionary).
3 comments
FabHK 1541 days ago
> E.g. postcriptaluminumengagement vs kug45l2wx

If you pick from a dictionary of 250,000 words, that is around 18 bits. So three randomly chosen words strung together give you around 54 bits. On the other hand, an alphanumeric character is around 6 bits, so 9 of them strung together is about 54 bits.

Assuming your dictionary was 250,000 words, both of the passwords you posted were about the same quality (until you posted them - now they're again about the same quality, but much less).

> Or are there also dictionaries that contain combos of words?!

Your software just concatenates words and other well known sequences (123, zxcvbn).

Check out the great password entropy checker called zxcvbn:

https://github.com/dropbox/zxcvbn

https://dropbox.tech/security/zxcvbn-realistic-password-stre...

https://www.bennish.net/password-strength-checker/

(Note: don't enter production passwords into random websites, needless to say...)

link
Aachen 1541 days ago
3 words is not enough usually, but it technically depends on the dictionary size. Since the formula is dictsize^numwords, adding a word to your phrases is a lot better than adding a thousand words to your dictionary (also because of diminishing returns above ~5 thousand words).

Iirc 6 words is a good size for most dictionaries or 7 words for diceware, but might be off by one so please look around. I remember posting it on the security stackexchange site (I'm currently on mobile, not logged in or I'd look it up in my user) and I'm not the only one who's done this calculation. It also depends on what security level you need (e.g. should it prevent from offline brute force or only online brute force)

link
freemint 1540 days ago
Why are you assuming the advesary knows what dictionary is being used?
link
Aachen 1540 days ago
Because there are only so many words in the world and an English person isn't going to use a Dutch dictionary. At that point it's going to be harder to remember than just random characters of the same entropy.
link
h4waii 1540 days ago
Gone are the days of huge generic dictionaries, a small tailored dictionary with a proper ruleset will pick off 3 word phrases with ease.
link