| There is some seriously bad misinformation in this article, and I feel like maybe the author isn't really familiar with basic information theory. > If you literally just use 4 or 5 dictionary words, someone is going to crack it fast. Bad people can write a program to try a kabillion combinations of words and it will run fast. Wrong. Wrong wrong wrong. If you randomly choose a sequence of 4 or 5 dictionary words you'll have a strong password. This is simple math. The author then tries to support his point with this gem: >One of the wallets, with the password “lorem ipsum dolor sit amet” was cracked in 7 hours, Well, "lorem ipsum dolor sit amet" isn't 5 randomly chosen dictionary words. It's an extremely common 5 word sequence and has nothing like the entropy of a random word sequence. The most important thing about pass phrases is that you have to choose the words randomly. You can't go pulling phrases from movie lines, and you can't even come up with them yourself. You need an unbiased process like a computer or a dice roll to generate it for you. More subtly, you shouldn't be picky about the phrase. If you keep generating new pass phrases until you find one that's memorable, you are drastically reducing the entropy of your phrase. It is plausible that an attacker could build a model that limits their search to memorable phrases, and then you'd be in bad shape. And this last point is where pass phrases need work. What we need is a system for randomly generating passwords that guarantees some level of memorability without sacrificing entropy. Fitting them to roughly sentence formats is one possibility (e.g. adj noun verb noun), so that we can visualize something happening. But it's not an easy problem. |
That "mad-libs" method does reduce entropy quite a bit. I don't know if it reduces it enough to make the password crackable, but the search space is much smaller than just 5 random words.