|
|
|
|
|
|
by venomsnake
4789 days ago
|
|
|
If we assume that English has 65535 words a four word password gives you 64 bits of entropy. Of course the real number of words that you can use for mass generation is 2k (or even less) if we search words that everyone that is standard deviation or two below the mean on the vocabulary graph can use and spell correctly. Spelling is going after the ability to memorize telephone numbers too with everyone using the crutches of autocorrect and other spell checking tools. The moment everyone uses that scheme the people interesting in reversing passwords will move in that direction too. This is fake security trough obscurity. You can get pretty secure passwords nowadays by just concatenating your username and site domain and md5-ing them and taking the first half. It generates awesome passwords ... until you are the only one using this way of deriving passwords. The human brain is not suited for remembering long complex passwords. Even less suited for unique for every service. |
|
|
As for the problem of strong, memorable passwords that can stand up to offline attacks, there is still a gap (a 253 bit password made of 11 bit words would be 23 words long), but I don't think the problem is unsolvable. A project I am interested in working on when I have time is one that produces very long, but memorable high-entropy passwords with rigorously quantified entropy by generating evocative, grammatically structured sentences, using a carefully selected word list and a set of mad-libs style templates.
So to get a ~256 bit pass phrase, you might be left to type out a 50 word poem. It would take effort to memorize, but it would be reasonably doable, whereas memorizing a random 39 character password is extremely difficult for most people.
Moreover, since you'd be working with a limited set of words and grammatical constructs, the password entry form could have robust auto-correction so that typos and spelling errors wouldn't be a significant problem.