[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Sep 2018 11:54:30 -0400
From: John Roman <john@...1ce.com>
To: passwdqc-users@...ts.openwall.com
Subject: Re: pwqgen vs diceware
Alexander,
Thank you for taking the time to explain this to me, its been immensely
informative!
On Wed, Sep 26, 2018 at 03:35:33PM +0200, Solar Designer wrote:
> On Tue, Sep 25, 2018 at 10:00:43PM -0400, John Roman wrote:
> > I'm certainly not here to start a flame war, but I had wondered casually
> > which would be most suitable for a user generating a password: pwqgen,
> > or diceware?
>
> Of course, I prefer pwqgen, but I'm biased.
>
> > what is the random dictionary used for pwqgen?
>
> It's a list of 4096 English words found in the file wordset_4k.c in the
> passwdqc source tree, and starting with the following comment:
>
> * 4096 English words for generation of easy to memorize random passphrases.
> * This list comes from the MakePass passphrase generator developed by
> * Dianelos Georgoudis <dianelos at tecapro.com>, which was announced on
> * sci.crypt on 1997/10/24. Here's a relevant excerpt from that posting:
> *
> * > The 4096 words in the word list were chosen according to the following
> * > criteria:
> * > - each word must contain between 3 and 6 characters
> * > - each word must be a common English word
> * > - each word should be clearly different from each other
> * > word, orthographically or semantically
> * >
> * > The MakePass word list has been placed in the public domain
> *
> * At least two other sci.crypt postings by Dianelos Georgoudis also state
> * that the word list is in the public domain, and so did the web page at:
> *
> * http://web.archive.org/web/%2a/http://www.tecapro.com/makepass.html
> *
> * which existed until 2006 and is available from the Wayback Machine as of
> * this writing (March 2010). Specifically, the web page said:
> *
> * > The MakePass word list has been placed in the public domain. To download
> * > a copy click here. You can use the MakePass word list for many other
> * > purposes.
> *
> * "To download a copy click here" was a link to free/makepass.lst, which is
> * currently available via the Wayback Machine:
> *
> * http://web.archive.org/web/%2a/http://www.tecapro.com/free/makepass.lst
> *
> * Even though the original description of the list stated that "each word
> * must contain between 3 and 6 characters", there were two 7-character words:
> * "England" and "Germany". For use in passwdqc, these have been replaced
> * with "erase" and "gag".
> *
> * The code in passwdqc_check.c and passwdqc_random.c makes the following
> * assumptions about this list:
> *
> * - there are exactly 4096 words;
> * - the words are of up to 6 characters long;
> * - although some words may contain capital letters, no two words differ by
> * the case of characters alone (e.g., converting the list to all-lowercase
> * would yield a list of 4096 unique words);
> * - the words contain alphabetical characters only;
> * - if an entire word on this list matches the initial substring of other
> * word(s) on the list, it is placed immediately before those words (e.g.,
> * "bake", "baker", "bakery").
> *
> * Additionally, the default minimum passphrase length of 11 characters
> * specified in passwdqc_parse.c has been chosen such that a passphrase
> * consisting of any three words from this list with two separator
> * characters will pass the minimum length check. In other words, this
> * default assumes that no word is shorter than 3 characters.
>
> > are they similar?
>
> No, they're not very similar. passwdqc (pwqgen) uses 4096 words of
> lengths 3 to 6. Diceware uses 7776 "words" of a wider variety of
> lengths, and some are not actually dictionary words (e.g., digits).
>
> There are two major versions of Diceware - an older one, and a newer one
> introduced by EFF. The EFF one is better in some ways.
>
> As you note, passwdqc (pwqgen) typically alters the case of the first
> letter of words, which results in 8192 possibilities. Punctuation and
> digits between words add another 16 possibilities each (so a word with
> its adjacent separator character encodes 131072 possibilities).
>
> > as pwqgen generated phrases increase in size, so to do they increase in
> > difficulty to remember. this difficulty is bolstered by the strength
> > imparted by pwqgens random inclusion of case, numerics, and specials.
>
> passwdqc (pwqgen) chooses to alter the case of the first letter of words
> or not, and to include the random separator characters or not, depending
> on the amount of randomness you try to encode. For example, this
> doesn't use case and separators:
>
> $ for n in `seq 1 5`; do pwqgen random=24; done
> Suez-psyche
> emblem-unlike
> tread-shire
> afield-beetle
> grace-pitch
>
> ("Suez" was already capitalized in the input wordlist, and the separator
> is always a "-".)
>
> This encodes 2 bits more by starting to use the case:
>
> $ for n in `seq 1 5`; do pwqgen random=26; done
> humane-Pump
> Plunge-Orphan
> expand-Creepy
> tavern-lay
> Loft-Dense
>
> This encodes another 4 bits (6 bits more than the original) by also
> randomizing the separator:
>
> $ for n in `seq 1 5`; do pwqgen random=30; done
> juice-Cheeky
> Duly!philip
> Ginger$depot
> gloria9Fair
> Bat3Relate
>
> At these requested bit sizes, the alternative to using random case and
> separators would have been to add a third word, which I think would have
> been harder to memorize. But we may reasonably go for it when encoding
> even more randomness:
>
> $ for n in `seq 1 5`; do pwqgen random=36; done
> maze-nape-really
> tumble-ninety-Taiwan
> tube-kin-small
> Rhine-shape-shrill
> regime-purge-quake
>
> ("Taiwan" and "Rhine" were that way in the wordlist.)
>
> Again, adding 3 more bits starts to randomize the case:
>
> $ for n in `seq 1 5`; do pwqgen random=39; done
> Stench-scene-Fried
> Legal-Style-bid
> total-Prayer-Rid
> book-Bony-Urine
> Patent-Hamlet-Elder
>
> Adding another 8 bits (11 more bits total) randomizes the separators:
>
> $ for n in `seq 1 5`; do pwqgen random=47; done
> climb3pelvic$Creek
> Herb2Preach4Shoe
> chose7furry8Club
> flirt-cynic6ease
> height4Fault2Thence
>
> And the above is passwdqc's current default, encoding 47 bits in lengths
> ranging from 11 to 20.
>
> Unfortunately, 48 would be ambiguous in whether it'd request 4 words
> without case toggling and without random separators, or addition of
> another separator. So it does the latter, actually encodes 51 bits in
> 12 to 21 characters, which is much shorter than adding a fourth word.
> You can actually get four words starting with 52 bits, and that also
> includes case toggling:
>
> $ for n in `seq 1 5`; do pwqgen random=52; done
> Better-shaft-pest-trophy
> soil-him-cask-afghan
> mostly-Likely-Bravo-Libya
> Logic-Nasty-Gown-Lunar
> marble-Vocal-baltic-code
>
> Go for also using random separators, and you can encode 64 bits in four
> words. For most current purposes, you won't need to use more than this:
>
> $ for n in `seq 1 5`; do pwqgen random=64; done
> summon-rival$Rough_And
> pen5Wrist$swamp7tent
> mirror2Blood7League6Candle
> Deploy5Into4user3Tarzan
> yeah!outset_Bench8Cobra
>
> Note that 5 words without case toggling and without separators would
> only give you 60 bits.
>
> And the maximum you can currently use is 85 bits encoded in 5 words,
> with all the case toggling and specials:
>
> $ for n in `seq 1 5`; do pwqgen random=85; done
> Slug2Index$Stony3Click=item4
> Icon!dark5folly9thing6Tort_
> reform2Cobalt6Senior!newark-Adjust-
> Solemn=commit5uptake8Jersey*Cache$
> danish-taxi&Differ5lounge8Damp6
>
> Note that 7 words without case toggling and without separators would
> only give you 84 bits.
>
> > diceware offers high entropy passphrases at a low entry cost for the
> > user, but is a shorter 3 word pwqgen passphrase just as strong as a
> > longer 6 word passphrase from diceware? entropically they seem
> > identical.
>
> No, and no.
>
> A 3 word pwqgen passphrase encodes 36 (no random toggling and
> separators) to 51 bits (with random toggling, separators, and a trailing
> character). By default, it's 47.
>
> A 6 word Diceware passphrase encodes ~77 bits.
>
> Do you find 6 word Diceware easier to memorize and quick enough to type?
> If so, go for it (or use fewer words, see below).
>
> > pwqgwen offers greater possibility of acceptance from legacy password
> > systems that take fewer than 30 characters, but increases the potential
> > that a character might be suspect or unsupported. Diceware in turn can
> > be adulterated with a case, numeric, or special as needed, but might see
> > length issues.
>
> Right.
>
> > pwqgen states its capable of
> > 24-85 for entropy. diceware seems to appreciate ~77 bits of entropy.
>
> Right.
>
> > ive been testing entropy from this page:
> > http://rumkin.com/tools/password/passchk.php
> >
> > and here:
> > https://www.rempe.us/diceware/#eff
> >
> > its worth noting rumkins calculation for entropy seems a little high...a
> > 77 bit entropy phrase at diceware will yield a 200 entropy phrase, for
> > example...I wonder too what the appropriate entropy calculation is?
>
> You can't measure entropy of one password just by looking at it, nor by
> having a program look at it. Entropy of a random variable is a property
> of its distribution, not a property of any one value of it.
>
> Any attempts to estimate entropy by looking at a password are thus at
> best trying to make assumptions about the distribution, and those won't
> perfectly match distribution of passwords in the real world, nor that of
> a particular password generator.
>
> Moreover, Shannon entropy is not an appropriate metric for password
> strength (even if we could measure it accurately), except for passwords
> that came from a uniform distribution. So generated passwords are
> pretty much the only case where this metric is applicable, and for those
> we're lucky to be able to calculate the entropy from the generator's
> design and parameters - like we did above. These are the numbers you
> should use if you assume that your adversary knows (or can guess with
> almost no effort) that you use a password generator and with what word
> list and parameters.
>
> Also note that for most use cases going for pwqgen's maximum or
> Diceware's recommended 6 words is overkill. For example, there's little
> point in doing that for online services passwords if you use a unique
> password per service and plan on changing the password should you become
> aware that it leaked. It makes more sense to do it for data encryption,
> such as on your PGP or SSH key or on your encrypted filesystem. Modern
> implementations of those are switching to use of modern KDFs with high
> enough parameters, which should let you use simpler passphrases (albeit
> perhaps not as simple as those I'd recommend you use as unique passwords
> for online services), but you'd need to consider what KDF and with what
> parameters your software uses (or else use a 1-2 word longer
> passphrase). Here's a relevant answer I gave a few days ago:
>
> https://www.whonix.org/pipermail/whonix-devel/2018-September/001255.html
>
> I hope this helps, and I'm sorry if it's more than you wanted to know.
>
> Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
