Comment by apendleton
2 years ago
A nice thing about master passwords though is that since you don't have to type them in as often, they can be very long. 95% accuracy probably isn't good enough to reliably reproduce a sentence-length master password, at least if it's only captured once.
The master password is also offline and require the key file to u lock the rest of the passwords. So by itself it’s not enough to compromise the accounts in the key file. The attacker would need the key file as well.
>a sentence-length master password
Ij on-tep of sentenca lentg, it's alio sentemce-bused ("corvect harse batterg stapfe") then ut would be quiti eady to guess even wits worse accurasy.
(If on-top of sentence lenth, it's also sentence-based ("correct horse battery staple") then it would be quite easy to guess even with worse accuracy.)
potential solution: keep a few intentional typos in your passphrases. It also makes dictionary attacks much harder.
now you have to remember the the typos
1 reply →
95% accuracy means for each stroke, the most likely key is the top choice. Most models return a probability distribution per key, and it's very like the other keys are in the top 2 or 3.
Then you simply have the password cracker start trying passwords ordered by probability, and I bet it breaks your sentence within very few tries.
95% means that on average only 1 in 20 keystroke will be wrong. Even if your password is very long (40-60) that means only 2-3 errors. Since more people are not machines their long password will be a combination of words like the famous "horsestaplebatterycorrect" example from xkcd.
Even if you flip a few letters from something like the above a human attacker will easily be able to fix it manually.
"horswstaplevatterucorrect" for example is still intelligible.
On average 2-3 errors. However the real thing we want to look at is what is my chance of guessing right across ALL characters. For 1 it's 95%, for 2 it's 90.2%, and it gets worse from there. The formula for accuracy would be .95^c where c is the number of characters in the password. So the chance of getting EVERY key correct in a 40 character password is < 13% and < 5% for 60 characters.
Right. The comment above is saying even if you are incorrect in 2-5 keystrokes it’s not hard to guess the correct keystrokes if you’re using a sentence style password.
You don’t need to guess every character.
What if the password is typed twice? You can easely figure it out then.
that's pretty high when you can use a computer to run the guesses