• bjorney@lemmy.ca
    link
    fedilink
    arrow-up
    43
    arrow-down
    18
    ·
    edit-2
    5 months ago

    Words are the least secure way to generate a password of a given length because you are limiting your character set to 26, and character N gives you information about the character at position N+1

    The most secure way to generate a password is to uniformly pick bytes from the entire character set using a suitable form of entropy

    Edit: for the dozens of people still feeling the need to reply to me: RSA keys are fixed length, and you don’t need to memorize them. Using a dictionary of words to create your own RSA key is intentionally kneecapping the security of the key.

        • sus@programming.dev
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          you memorize the password required to decrypt whatever container your RSA key is in. Hopefully.

            • sus@programming.dev
              link
              fedilink
              arrow-up
              2
              ·
              5 months ago

              I think this specific chain of replies is talking about that actually… though it is a pretty big tangent from the original post

              • bjorney@lemmy.ca
                link
                fedilink
                arrow-up
                1
                arrow-down
                1
                ·
                edit-2
                5 months ago

                “can you string words to form a valid RSA key”

                “Yes this is the most secure way to do it”

                “No, it’s not when there is a fixed byte length”

                -> where we are now

                • sus@programming.dev
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  5 months ago

                  the direct chain I can see is

                  “can you string words to form a valid RSA key”

                  “I would hope so, [xkcd about password strength]”

                  “words are the least secure way to generate random bytes”

                  “Good luck remembering random bytes. That infographic is about memorable passwords.”

                  “You memorize your RSA keys?”

                  so between comments 2 and 3 and 4 I’d say it soundly went past the handcrafted RSA key stuff.

    • shrugs@lemmy.world
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      5 months ago

      so you are saying 44 bits of entropy is not enough. the whole point of the comic is, that 4 words out of a list of 2000 is more secure then some shorter password with leetcode and a number and punctuation at the end. which feels rather intuitive given that 4 words are way easier to remember

      • bjorney@lemmy.ca
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        5 months ago

        No im saying if your password size is limited to a fixed number of characters, as is the case with RSA keys, words are substantially less secure

    • Jtotheb@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      5 months ago

      Sounds like a good point, but claiming that “Words are the least secure way to generate a password 84 characters long” would be pointless.

      • sus@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        and some people will try to just hold a key down until it reaches the length limit… which is an even worse way to generate a password of that length

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      That’s why you need lots of words. (6) If you combine that with a large word list it gets very secure.

    • intensely_human@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      character N gives you information about the character at position N+1

      There is no point in a password cracking attempt during which the attacker knows the character at N but not the character at N+1

      • bjorney@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        If you know the key is composed of English language words you can skip strings of letters like “ZRZP” and “TQK” and focus on sequences that actually occur in a dictionary