From: Adam Shostack <adam@homeport.org>
Date: Tue, 11 Feb 1997 08:01:37 -0800 (PST)
To: jer+@andrew.cmu.edu (Jeremiah A Blatz)
Subject: Re: Passphrase generation
In-Reply-To: <199702111426.GAA19838@toad.com>
Message-ID: <199702111558.KAA01013@homeport.org>
MIME-Version: 1.0
Content-Type: text/plain


You want to think about how does someone attack the passphrase?

Essentially, there are dictionary methods, where probably passphrasess
are checked.  These are enhanced by the use of changers, where the
word is modified in ways common to people changing passwords:

target
Target
targeT
target0
0target
target1

Crack, by Alex Muffet, produces on the order of 1000 derived words per
word its given.

I use phrases of 30-90 pink elephants with some arbitrary pizzas tossed on
the floor.

Adam


Jeremiah A Blatz wrote:
-- Start of PGP signed section.
| Internaut <unde0275@frank.mtsu.edu> writes:
| > Hi,
| > I am wanting to learn how to generate a passphrase that is at least as
| > strong as the IDEA algorithm.  I have looked several other places on the
| > web for an answer to this, but they all had different things to say that
| > didn't add up (no pun intended :).
| 
| Chech out the cannonical passphrase FAQ:
| http://www.stack.nl/~galactus/remailers/passphrase-faq.html
| 
| This one has some quick reminders of what to do and not to do
| http://www.encryption.com/pphrase.htm
| 
| Bottom line, totally random ASCII will have lots of bits per
| character, but english has about 1.2 bits per character. Misspellings
| can add to that, depending on the extent of mutillation . Combining
| certain words can make your passphrase weaker (such as "To be or not
| to be," "This is my passphrase," etc.).
| 
| HTH,
| Jer
| 
| "standing on top of the world/ never knew how you never could/ never knew
|  why you never could live/ innocent life that everyone did" -Wormhole
-- End of PGP signed section.


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume