undefined | Better HN

0 pointsinfogulch11y ago0 comments

Nice! I like this methodology.

I also wonder if all possible trigrams are equally likely.

Question: why wouldn't you just use the passphrase itself as the password? Just because some websites limit password length?

0 comments

3 comments · 1 top-level

Scaevolus11y ago· 2 in thread

The algorithm is [898, 537, 321, 205, 361] -> tidlotexidaifol -> "tidy lot existence daily following". The phrase is generated deterministically from the password, so it's no more secure than the previous steps. It's just a mnemonic to help remember the password.

If by trigram you mean "3-letter word prefix", then yes, they are all equally likely. If you mean "group of 3 words", then no, they're very biased. "raccowsli" is as likely as "afrdisuti", but it will always generate the mnemonic "race cow slipped", and never "racter cowslip slithered".

x1798DE11y ago

Just to add to why you would or would not want to use the passphrase vs. the abbreviation - I've personally found that I find it much easier to actually type a password that consists of words, names or "nonsense words" generated by Markov chains (though not usually ones generated by letter frequencies).

I am often comfortable entering in a given password on a device on which I am not comfortable unlocking my password database (or entering my password database password + keyfile), but I usually have a device which does have my password database on it (phone, laptop, etc), so my application is "it doesn't have to be memorable, it just has to be something I'll enter without making a typo". For whatever reason, I find that entering in "tidlotexidaifol" would be harder for me to do accurately than "tidy lot existence daily following" or "tidylotexistencedailyfollowing".

That said, I like this approach, because some sites (like Bank of America, shockingly), restrict total password length, making a "very long password with relatively low entropy per character" approach infeasible.

Scaevolus11y ago

You could use the phrase if you liked, but each word is only 10 bits of entropy.

One nice thing about having a mnemonic for the password is that you don't have to remember the words precisely -- you can modify the mnemonic to suit your tastes as long as the prefix remains. I originally wrote it to generate passwords that I have to enter frequently (e.g. sudo), so being short was a goal.

I'm working on making actual passphrases with more entropy per word.

1 more reply

j / k navigate · click thread line to collapse