evilthought2 Wrote:[.......] this discussion is about password strength and brute forcing random passwords (or randomly picked words) is not easy.
The discussion is also about using passphrases I hope, that was lead post in this thread. And as a follow up, whether 4 (random) words pass phrases are strong enough (off-line vs.online) and are feasible given a 20 or 18 character (if numbers, symbols required) password limit of many sites.
evilthought2 Wrote:Lets assume a hacker has a list of 100,000 words
4 random words from such a large dictionary has entropy of 100,000,000,000,000,000,000
4-word phrases form that 100,000 word dictionary would be longer than the 18-20 character limit. You have to fall back to a pass phrase of 2 or 3 words.
- a 2 random words phrase from that dictionary would have a decimal entropy of 10^10 (27 bits). That seems inadequate to me.
- a 3 words would phrase have a decimal entropy of 10^15 (40 bits) which is a 'few weeks job' to recover on average for certain applications, including WiFi.
What is often forgotten is that if they have a large list with hashes, 50% of the passphrases will be recovered during
those few weeks. And for a 4 week example, the change that my pass phrase will be recovered on day 1 is 3.6%.
I don't want to be the lucky one on day 1. And thus I have to go for at least 4 words and would have to make a special dictionary with words of up to 5 letters (for limit 20 ) or 4 letters (limit 18), which will influence the entropy somewhat. I still think those 18/20-limit sites hurt the use of passphrases severely.