@stevefoerster What would be nice would be to include the version with high entropy that humans have been demonstrated to actually be able to remember: diceware style passwords (multiple words, eg like https://xkcd.com/936/ except you want more like 6-7 words these days)


@cwebber @stevefoerster this chart suggests XKCD is right. Even a 3 word passphrase takes like 10 times as long to crack as a gibberish password of 9 or 10 characters.

@cwebber @stevefoerster that is of course as long as you are human. Users on dolphin.town might have trouble generating enough entropy with a paraphrase in their native language...

Eeee eeeee ee eeeeeee!

@msh @cwebber @stevefoerster Only if the attacker brute-forces character by character instead of word by word.

@Creideiki true, but it's still better to use paraphrases.

4-word, English, all lowercase paraphrase with single space word separators: 8.5 * 10^20 combinations of words. That is more than all the possible combinations of 10 printable ASCII characters (6.6 * 10^19), except easier to remember.

Factor in uppercase characters, punctuation (which dictionary attacks cannot find) and other languages and it's even better.

cwebber@octodon.social @stevefoerster

@msh @cwebber @stevefoerster

I don't believe this is correct.

If enough people use 3-4 word phrases, brute force attackers will specifically adapt to this.

Assuming a lexicon of 20,000 words (average native speaker) you get 20,000 ^ 4 permutations or 1.6e+17

Assuming 68 alpha numeric characters (lower, upper, digits, 10 symbols) you only need 10 characters to surpass this (68^10 or 2.1e+18)

@msh @cwebber @stevefoerster That's from brute-forcing characters. Brute-forcing 3 words via an English word dictionary would take considerably less time.

Sign in to participate in the conversation

Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.