Date: Thu, 27 Sep 2018 11:54:30 -0400 From: John Roman <john@...1ce.com> To: passwdqc-users@...ts.openwall.com Subject: Re: pwqgen vs diceware Alexander, Thank you for taking the time to explain this to me, its been immensely informative! On Wed, Sep 26, 2018 at 03:35:33PM +0200, Solar Designer wrote: > On Tue, Sep 25, 2018 at 10:00:43PM -0400, John Roman wrote: > > I'm certainly not here to start a flame war, but I had wondered casually > > which would be most suitable for a user generating a password: pwqgen, > > or diceware? > > Of course, I prefer pwqgen, but I'm biased. > > > what is the random dictionary used for pwqgen? > > It's a list of 4096 English words found in the file wordset_4k.c in the > passwdqc source tree, and starting with the following comment: > > * 4096 English words for generation of easy to memorize random passphrases. > * This list comes from the MakePass passphrase generator developed by > * Dianelos Georgoudis <dianelos at tecapro.com>, which was announced on > * sci.crypt on 1997/10/24. Here's a relevant excerpt from that posting: > * > * > The 4096 words in the word list were chosen according to the following > * > criteria: > * > - each word must contain between 3 and 6 characters > * > - each word must be a common English word > * > - each word should be clearly different from each other > * > word, orthographically or semantically > * > > * > The MakePass word list has been placed in the public domain > * > * At least two other sci.crypt postings by Dianelos Georgoudis also state > * that the word list is in the public domain, and so did the web page at: > * > * http://web.archive.org/web/%2a/http://www.tecapro.com/makepass.html > * > * which existed until 2006 and is available from the Wayback Machine as of > * this writing (March 2010). Specifically, the web page said: > * > * > The MakePass word list has been placed in the public domain. To download > * > a copy click here. You can use the MakePass word list for many other > * > purposes. > * > * "To download a copy click here" was a link to free/makepass.lst, which is > * currently available via the Wayback Machine: > * > * http://web.archive.org/web/%2a/http://www.tecapro.com/free/makepass.lst > * > * Even though the original description of the list stated that "each word > * must contain between 3 and 6 characters", there were two 7-character words: > * "England" and "Germany". For use in passwdqc, these have been replaced > * with "erase" and "gag". > * > * The code in passwdqc_check.c and passwdqc_random.c makes the following > * assumptions about this list: > * > * - there are exactly 4096 words; > * - the words are of up to 6 characters long; > * - although some words may contain capital letters, no two words differ by > * the case of characters alone (e.g., converting the list to all-lowercase > * would yield a list of 4096 unique words); > * - the words contain alphabetical characters only; > * - if an entire word on this list matches the initial substring of other > * word(s) on the list, it is placed immediately before those words (e.g., > * "bake", "baker", "bakery"). > * > * Additionally, the default minimum passphrase length of 11 characters > * specified in passwdqc_parse.c has been chosen such that a passphrase > * consisting of any three words from this list with two separator > * characters will pass the minimum length check. In other words, this > * default assumes that no word is shorter than 3 characters. > > > are they similar? > > No, they're not very similar. passwdqc (pwqgen) uses 4096 words of > lengths 3 to 6. Diceware uses 7776 "words" of a wider variety of > lengths, and some are not actually dictionary words (e.g., digits). > > There are two major versions of Diceware - an older one, and a newer one > introduced by EFF. The EFF one is better in some ways. > > As you note, passwdqc (pwqgen) typically alters the case of the first > letter of words, which results in 8192 possibilities. Punctuation and > digits between words add another 16 possibilities each (so a word with > its adjacent separator character encodes 131072 possibilities). > > > as pwqgen generated phrases increase in size, so to do they increase in > > difficulty to remember. this difficulty is bolstered by the strength > > imparted by pwqgens random inclusion of case, numerics, and specials. > > passwdqc (pwqgen) chooses to alter the case of the first letter of words > or not, and to include the random separator characters or not, depending > on the amount of randomness you try to encode. For example, this > doesn't use case and separators: > > $ for n in `seq 1 5`; do pwqgen random=24; done > Suez-psyche > emblem-unlike > tread-shire > afield-beetle > grace-pitch > > ("Suez" was already capitalized in the input wordlist, and the separator > is always a "-".) > > This encodes 2 bits more by starting to use the case: > > $ for n in `seq 1 5`; do pwqgen random=26; done > humane-Pump > Plunge-Orphan > expand-Creepy > tavern-lay > Loft-Dense > > This encodes another 4 bits (6 bits more than the original) by also > randomizing the separator: > > $ for n in `seq 1 5`; do pwqgen random=30; done > juice-Cheeky > Duly!philip > Ginger$depot > gloria9Fair > Bat3Relate > > At these requested bit sizes, the alternative to using random case and > separators would have been to add a third word, which I think would have > been harder to memorize. But we may reasonably go for it when encoding > even more randomness: > > $ for n in `seq 1 5`; do pwqgen random=36; done > maze-nape-really > tumble-ninety-Taiwan > tube-kin-small > Rhine-shape-shrill > regime-purge-quake > > ("Taiwan" and "Rhine" were that way in the wordlist.) > > Again, adding 3 more bits starts to randomize the case: > > $ for n in `seq 1 5`; do pwqgen random=39; done > Stench-scene-Fried > Legal-Style-bid > total-Prayer-Rid > book-Bony-Urine > Patent-Hamlet-Elder > > Adding another 8 bits (11 more bits total) randomizes the separators: > > $ for n in `seq 1 5`; do pwqgen random=47; done > climb3pelvic$Creek > Herb2Preach4Shoe > chose7furry8Club > flirt-cynic6ease > height4Fault2Thence > > And the above is passwdqc's current default, encoding 47 bits in lengths > ranging from 11 to 20. > > Unfortunately, 48 would be ambiguous in whether it'd request 4 words > without case toggling and without random separators, or addition of > another separator. So it does the latter, actually encodes 51 bits in > 12 to 21 characters, which is much shorter than adding a fourth word. > You can actually get four words starting with 52 bits, and that also > includes case toggling: > > $ for n in `seq 1 5`; do pwqgen random=52; done > Better-shaft-pest-trophy > soil-him-cask-afghan > mostly-Likely-Bravo-Libya > Logic-Nasty-Gown-Lunar > marble-Vocal-baltic-code > > Go for also using random separators, and you can encode 64 bits in four > words. For most current purposes, you won't need to use more than this: > > $ for n in `seq 1 5`; do pwqgen random=64; done > summon-rival$Rough_And > pen5Wrist$swamp7tent > mirror2Blood7League6Candle > Deploy5Into4user3Tarzan > yeah!outset_Bench8Cobra > > Note that 5 words without case toggling and without separators would > only give you 60 bits. > > And the maximum you can currently use is 85 bits encoded in 5 words, > with all the case toggling and specials: > > $ for n in `seq 1 5`; do pwqgen random=85; done > Slug2Index$Stony3Click=item4 > Icon!dark5folly9thing6Tort_ > reform2Cobalt6Senior!newark-Adjust- > Solemn=commit5uptake8Jersey*Cache$ > danish-taxi&Differ5lounge8Damp6 > > Note that 7 words without case toggling and without separators would > only give you 84 bits. > > > diceware offers high entropy passphrases at a low entry cost for the > > user, but is a shorter 3 word pwqgen passphrase just as strong as a > > longer 6 word passphrase from diceware? entropically they seem > > identical. > > No, and no. > > A 3 word pwqgen passphrase encodes 36 (no random toggling and > separators) to 51 bits (with random toggling, separators, and a trailing > character). By default, it's 47. > > A 6 word Diceware passphrase encodes ~77 bits. > > Do you find 6 word Diceware easier to memorize and quick enough to type? > If so, go for it (or use fewer words, see below). > > > pwqgwen offers greater possibility of acceptance from legacy password > > systems that take fewer than 30 characters, but increases the potential > > that a character might be suspect or unsupported. Diceware in turn can > > be adulterated with a case, numeric, or special as needed, but might see > > length issues. > > Right. > > > pwqgen states its capable of > > 24-85 for entropy. diceware seems to appreciate ~77 bits of entropy. > > Right. > > > ive been testing entropy from this page: > > http://rumkin.com/tools/password/passchk.php > > > > and here: > > https://www.rempe.us/diceware/#eff > > > > its worth noting rumkins calculation for entropy seems a little high...a > > 77 bit entropy phrase at diceware will yield a 200 entropy phrase, for > > example...I wonder too what the appropriate entropy calculation is? > > You can't measure entropy of one password just by looking at it, nor by > having a program look at it. Entropy of a random variable is a property > of its distribution, not a property of any one value of it. > > Any attempts to estimate entropy by looking at a password are thus at > best trying to make assumptions about the distribution, and those won't > perfectly match distribution of passwords in the real world, nor that of > a particular password generator. > > Moreover, Shannon entropy is not an appropriate metric for password > strength (even if we could measure it accurately), except for passwords > that came from a uniform distribution. So generated passwords are > pretty much the only case where this metric is applicable, and for those > we're lucky to be able to calculate the entropy from the generator's > design and parameters - like we did above. These are the numbers you > should use if you assume that your adversary knows (or can guess with > almost no effort) that you use a password generator and with what word > list and parameters. > > Also note that for most use cases going for pwqgen's maximum or > Diceware's recommended 6 words is overkill. For example, there's little > point in doing that for online services passwords if you use a unique > password per service and plan on changing the password should you become > aware that it leaked. It makes more sense to do it for data encryption, > such as on your PGP or SSH key or on your encrypted filesystem. Modern > implementations of those are switching to use of modern KDFs with high > enough parameters, which should let you use simpler passphrases (albeit > perhaps not as simple as those I'd recommend you use as unique passwords > for online services), but you'd need to consider what KDF and with what > parameters your software uses (or else use a 1-2 word longer > passphrase). Here's a relevant answer I gave a few days ago: > > https://www.whonix.org/pipermail/whonix-devel/2018-September/001255.html > > I hope this helps, and I'm sorry if it's more than you wanted to know. > > Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.