Reply
 
Thread Tools Display Modes
  #1  
Old 11-23-2017, 08:05 AM
MorrisCody MorrisCody is offline
Guest
 
Join Date: Mar 2012
Posts: 46
Can I safely tweak a EFF Dice-Generated Passphrases

Assume I follow the EFF’s instructions for generating a secure password and produce the word list HURT, WEIGH, CHAIRS, BOOKS, HORSE, 8492. Would I decrease the password’s strength if I were to rearrange and slightly tweak the words to produce a more memorable phrase like “HorsesWeighBooks&8492ChairsHurt”?
  #2  
Old 11-23-2017, 09:12 AM
Francis Vaughan Francis Vaughan is online now
Member
 
Join Date: Sep 2009
Location: Adelaide, Australia
Posts: 4,624
In principle the answer is yes - you would slightly decrease the entropy in the passphrase, and thus its strength. Anything that reduces the 'randomness' component of the password in principle makes it slightly more subject to attack. So the idea that a 'more memorable' ordering of the words reduces the number of possible orderings of the constituent words means there is slightly less randomness present. So an attacker might prefer attacks against 'more memorable' orderings of words ahead of 'less memorable' and thus gain a slight advantage in cracking the password.

All the above is in principle. In reality it makes not a jot of difference.

Last edited by Francis Vaughan; 11-23-2017 at 09:13 AM.
  #3  
Old 11-23-2017, 09:21 AM
The Lurker Above The Lurker Above is offline
Guest
 
Join Date: Jan 2009
Location: Calgary, AB Canada
Posts: 749
Quote:
Originally Posted by MorrisCody View Post
Assume I follow the EFF’s instructions for generating a secure password and produce the word list HURT, WEIGH, CHAIRS, BOOKS, HORSE, 8492. Would I decrease the password’s strength if I were to rearrange and slightly tweak the words to produce a more memorable phrase like “HorsesWeighBooks&8492ChairsHurt”?
Yes. Rearranging, tweaking, or rerolling until you get a set of words you like reduces the strength of your passphrase. Exactly how much is hard to calculate.

The passphrase you find more memorable is very likely to be one lots of other english speakers think is more memorable too. Attackers try to guess your password by trying more common/memorable combinations from the wordlist first, and then will have a better chance of getting your password than if you take the list as generated.

In reality a 6 die passphrase is probably enough overkill (assuming decent hashing/salting on the system's part) that you're still good. So many people use such god-awful passwords that you're likely still among the last few percent cracked. Unless you're a high-value target (celebrity, high-level politician, etc) I wouldn't worry about it. The bigger issue you'll have is a lot of systems limit your password to much fewer characters than your passphrase uses.

The worst are systems that don't tell you about the password character limits and just quietly truncated your password. That could leave you with a two or three common english word password ... that gets cracked very quickly.
  #4  
Old 11-23-2017, 09:31 AM
Chronos Chronos is offline
Charter Member
Moderator
 
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 73,183
No, the worst are systems that quietly truncate passwords when you're setting them, but not when you're logging in, and so not only is your password insecure, but you can't even log in, either.
  #5  
Old 11-23-2017, 10:24 AM
The Lurker Above The Lurker Above is offline
Guest
 
Join Date: Jan 2009
Location: Calgary, AB Canada
Posts: 749
Quote:
Originally Posted by Chronos View Post
No, the worst are systems that quietly truncate passwords when you're setting them, but not when you're logging in, and so not only is your password insecure, but you can't even log in, either.
I'm not sure about that. In your case you at least know you have a problem...
  #6  
Old 11-23-2017, 10:48 AM
Darren Garrison Darren Garrison is offline
Guest
 
Join Date: Oct 2016
Posts: 4,967
Four replies and no link to the relevant XKCD yet?
  #7  
Old 11-23-2017, 12:09 PM
lazybratsche lazybratsche is online now
Guest
 
Join Date: Feb 2006
Posts: 3,683
Quote:
Originally Posted by The Lurker Above View Post
Yes. Rearranging, tweaking, or rerolling until you get a set of words you like reduces the strength of your passphrase. Exactly how much is hard to calculate.
As a quick and dirty empirical estimate, I generated a bunch of random passphrases, and I liked about 1 in 10. If my preferences were completely predictable, my selections would reduce the password space by ~10-fold. That shouldn't be a big deal if you start with a very large password space, where 10-fold (or even 100-fold) reductions will still leave you with a plenty strong password.

Rearranging words in a passphrase could be more harmful. For a six-word phrase, there are 720 possible permutations. Worst case scenario, if rearranging is perfectly predictable, you just went from a password space of ~2^77 to ~2^68. Practically speaking, that should still leave you with a password that's plenty good enough for ordinary use.
  #8  
Old 11-24-2017, 07:58 AM
DesertDog DesertDog is online now
Charter Member
 
Join Date: Oct 2002
Location: Mesa, Ariz.
Posts: 3,360
Shoehorn butterhorse, the password1 for the new age.
  #9  
Old 11-24-2017, 11:34 AM
LSLGuy LSLGuy is online now
Charter Member
 
Join Date: Sep 2003
Location: Southeast Florida USA
Posts: 20,792
Just reminder that classic thread is from an earlier new age.
  #10  
Old 11-24-2017, 12:23 PM
Derleth Derleth is offline
Guest
 
Join Date: Apr 2000
Location: Missoula, Montana, USA
Posts: 19,846
Quote:
Originally Posted by The Lurker Above View Post
The worst are systems that don't tell you about the password character limits and just quietly truncated your password. That could leave you with a two or three common english word password ... that gets cracked very quickly.
The worst are systems which can conveniently email you your password if you forget, or email you your password on signup, or email you your password after it's been changed, but, of course, never email you your password when their database was illegally copied because they don't know it's been copied but they do know your password and now the attacker does, too, because they were capable of emailing you your password.

And, of course, they, all doe-eyed and innocent like an architect whose building just collapsed in a massive earthquake which measured 2.5 on the Richter scale, had absolutely no idea what they were doing wrong, or how it could ever be a problem, or how anyone, anywhere could argue against the convenience of being able to email people their passwords.
__________________
"Ridicule is the only weapon that can be used against unintelligible propositions. Ideas must be distinct before reason can act upon them."
If you don't stop to analyze the snot spray, you are missing that which is best in life. - Miller
I'm not sure why this is, but I actually find this idea grosser than cannibalism. - Excalibre, after reading one of my surefire million-seller business plans.
  #11  
Old 11-24-2017, 02:39 PM
Chronos Chronos is offline
Charter Member
Moderator
 
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 73,183
Or e-mail your password to anyone who can tell them what street you lived on as a kid or what your mother's maiden name is.
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 07:55 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@chicagoreader.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Publishers - interested in subscribing to the Straight Dope?
Write to: sdsubscriptions@chicagoreader.com.

Copyright © 2017 Sun-Times Media, LLC.

 
Copyright © 2017