Comment by dragontamer

10 years ago

Technical users use Diceware because its the best way for the human mind to capture entropy.

https://en.wikipedia.org/wiki/Diceware

Its the non-technical users who try the silly stuff. A diceware password with 4 words is 51-bits of entropy. 5 Words gets you 64-bits of entropy.

For example, if you remember that "U+2708" is the Airplane emoji, why not just type the string "U2708" on the end of the password (ex: MyPasswordU2708). The longer password is going to add provably the same amount of entropy, and will work with virtually any system.

8 comments

dragontamer

valarauca1 10 years ago

The old bits of entropy count is based on extended ASCII. In reality we could count UFT-8 code points, with each code point having 1/#code_point entropy.

As a brute force guesser can throw UTF-8 chars instead of attempting to rebuild emoji from their underlying ASCII string.

jerf 10 years ago
"with each code point having 1/#code_point entropy."
That requires that users be uniformly-randomly selecting Unicode characters. There's a number of problems with this idea, most notably that the resulting password would have an insanely high "difficulty to type"/"bit of entropy" ratio. By the time you're through your third keyboard mode switch or third character typed in via generic Unicode hex entry, a 4-word passphrase user already has logged in and opened their browser.
Mixing in a single Unicode character into your password might be sorta clever, but you probably shouldn't rely on getting a lot more "bits" out of it.
- valarauca1 10 years ago
  
  Users don't uniformly select ASCII characters but generally we accept 1 char of password length === 8 bits of entropy.
  
  4 replies →

euyyn 10 years ago

Technical users that had never heard of Diceware before, because it's obscure, don't use it :)