> On Aug 16, 2018, at 2:36 PM, procmem <procmem at riseup.net> wrote:
>> Hi Arnold, Whonix (privacy distro) maintainer here. We are big fans of
> Diceware and were recently revisiting our password advice and so I had a
> few questions:
>> * How much entropy does a special character add in Diceware?
>> * I was considering using a massive wordlist/dictionary
> https://packages.debian.org/stretch/wamerican-insane that has about 650K
> words as a way to potentially increase entropy per word to allow using
> less words for passphrases. It came up in discussion that this is a bad
> idea since some of the words are difficult to spell and some very short
> words 3 characters and less harm passphrase strength. Is it that short
> words reduce entropy?
>> * Do you advise steering clear of dictionaries and sticking to the
> prepackaged wordlists, can you please explain?
>> * Quantum computers will halve the keyspace using Grover's so we need to
> recommend passphrases with 256bits today using EFF's wordlist if users
> are to achieve quantum resistance. However this requires 20 words and so
> things start getting unwieldly. What is the best approach to dealing
> with this while maintaining usability as much as possible?
>> I have CC'd our ML so your reply can benefit our users.
The important thing to understand is that entropy comes from the password or pass phrase creation process. If you select one symbol at random from a set of M distinct symbols, the resulting entropy is log2(M), assuming the selection process is truly random. If you select N symbols from that set the entropy is N*log2(M). Here log2(M) is the base-2 logarithm of M which is equal to log(M)/log(2) in any other base.
Truly random is the tricky part. Ordinary dice come pretty close. Casino dice are nearly perfect. The "random number" function in most computer languages is not adequate for passphrase generation. Crypto-grade random number generators, such as /dev/random can be ok, assuming the computer itself has some source of randomness and has not been compromised.
Selecting random words from your 650K word list will generate 19.3 bits of entropy per word. That鈥檚 more than the 12.9 bits from a Diceware list, but you鈥檒l end up with bigger words that are harder to remember and type. It鈥檚 a human-factors question; as long as the total entropy is the same, it does not matter from a security viewpoint. Very short words are not a problem, except in the highly unlikely case where the resulting pass phrase is so short that it is subject to brute force attack letter by letter. I recommend a minimum length of 20 characters, including spaces between the letters.
Adding a special character at a random point in the pass phrase gets entropy in two ways. First there are 32 special characters on a standard U.S. keyboard. Log2(32) is 5. A six-word Diceware(tm) passphrase has about 25 characters on average, plus another 5 spaces, so selecting a random position in the passphrase to add the special character yield about another 5 bits, for a total of 10 bits. If you are using a longer passphrase, you鈥檒l get a little more, but not much.
The advantaged of prepackaged Diceware-style word lists, like mine or the EFF鈥檚, is that they are designed to make selection using dice easy. The number of words, 7776 is a power of 6 (the fifth). If you use an ordinary dictionary, you鈥檒l have to figure out exactly how to make a uniformly random selection from it. Also note that many security programs limit the length of passwords, so lists with large words, such as the EFF鈥檚 and your 650K dictionary, often generate pass phrases that will be truncated by the input program, which defeats the purpose. The new NIST SP 800-63B guidelines say passwords up to 64 characters should be accepted, but not everyone follows them, particularly Microsoft.
Resistance to quantum computing is somewhat speculative since we do not know when they will arrive or what they will be able to do in practice. Doubling key length is based on good theoretical foundations, but as you point out, a 20-word Diceware pass phrase is needed for 256 bit security. I think that is far more than most people can memorize. You鈥檒l have to write it down. An alternative might be random characters. You can select characters for the set a-z, 0-9 by making a 6 by 6 table with the 36 characters and using two dice to select each character. A password 50 random characters, or ten 5-character groups will get you to 256-bits. Still not easy to use. Mixed case helps a little, but typing gets much much harder, not worth it IMHO.
The real solution, I think, is to only use security software that incorporates key stretching for your pass phrase. Algorithms that use a lot of memory as well as processing power, such as HEKS, scrypt or argon2, should be much more resistant to quantum attack. It鈥檚 one thing to build a quantum computer with enough coherent q-bits to attack AES, quite another for the millions of q-bits presumably needed to attack argon2, though I have not seen a formal analysis.
Hope this is helpful and thanks for your interest in Diceware,
Arnold Reinhold
>
More information about the Whonix-devel
mailing list
“Look here!” Dick began to chuckle. “We’ve got a queer combination to work with—our Sky Patrol has! Suspicious Sandy—and—Superstitious Jeff!” Sandy grinned ruefully, a little sheepishly. Larry smiled and shook his head, warning Dick not to carry his sarcasm any further, as Jeff frowned. 52 "You do doubt me. If you did not, it would never occur to you to deny it. You doubt me now, and you will doubt me still more if you don't read it. In justice to me you must." "That same. She was part Mescalero, anyway." This Act, as disgraceful as any which ever dishonoured the statute-book in the reigns of the Tudors or Stuarts, was introduced into the Commons, on the 12th of May, by Sir William Wyndham, and was resolutely opposed by the Whigs, amongst whom Sir Peter King, Sir Joseph Jekyll, Mr. Hampden, Robert Walpole, and General Stanhope distinguished themselves. They did not convince the majority, which amounted to no less than two hundred and thirty-seven to one hundred and twenty-six. In the Lords, Bolingbroke himself moved the second reading, and it was ably opposed by the Lords Cowper, Wharton, Halifax, Townshend, Nottingham, and others. The greatest curiosity was displayed regarding the part which Oxford would take, as it was known that in the Council he had endeavoured to soften the rigorous clauses; but in the House he followed his usual shuffling habit, declaring that he had not yet considered the question; and, having induced the Opposition to let the second reading pass without a division, he absented himself from the final voting, and thus disgusted both parties and hastened his own fall. The battle of Falkirk, which in itself appeared so brilliant an affair for Prince Charles, was really one of his most serious disasters. The Highlanders, according to their regular custom when loaded with plunder, went off in great numbers to their homes with their booty. His chief officers became furious against each other in discussing their respective merits in the battle. Lord George Murray, who had himself behaved most bravely in the field, complained that Lord John Drummond had not exerted himself, or pursuit might have been made and the royal army been utterly annihilated. This spirit of discontent was greatly aggravated by the siege of the castle of Stirling. Old General Blakeney, who commanded the garrison, declared he would hold out to the last man, in spite of the terrible threats of Lord George Murray if he did not surrender. The Highlanders grew disgusted with work so contrary to their habits; and, indeed, the French engineer, the so-called Marquis de Mirabelle, was so utterly ignorant of his profession, that the batteries which he constructed were commanded by the castle, and the men were so much exposed that they were in danger of being destroyed before they took the fortress. Accordingly, on the 24th of January they struck to a man, and refused to go any more into the trenches. "Haint we bit off more'n we kin chaw. Shorty?" asked Si, as he looked over the increasing gang. "Hadn't we better ask for some help?" "How far would it carry?" Corpril, Company Q, 2 Hundsrdth Injiamiy Volintear "He d?an't care much. F?ather, he likes to be comfortable, and this Inclosure w?an't make much difference to that. 'T?un't as if we wanted the pasture badly, and F?ather he d?an't care about land." "Byles," interrupted Calverley, speaking rapidly, "you are poor—you are in arrear with your rent; a distress will be levied, and then what will become of you—of your wife and the little one? Listen to me! I will give you money to keep a house over your head; and when I am steward, you shall have the first farm at my lord's disposal, if you will only aid me in my revenge! Revenge!" he repeated, vehemently—"but you hesitate—you refuse." "Yes, yes, there is little doubt of that: but how can we come at the truth? Sudbury still retains his wrath against us, and would oppose an arrest; and even could he be waylaid, and brought hither, he is stubborn, and might refuse to answer." HoME一级做人爱c视正版免费
ENTER NUMBET 0017 www.vivvi.com.cn yaoqiuba.com.cn ace-e.com.cn www.douli4.com.cn www.jueni7.net.cn www.getbig.com.cn jiemi5.net.cn cunju4.com.cn 07249.com.cn 177webfind.com.cn