[arch-general] How long do you make the passphrase for the private key?

Bennett Piater bennett at piater.name
Tue Jun 25 10:41:27 UTC 2019



On 2019-06-25 12:11, Ralf Mardorf via arch-general wrote:
> Six words are just six words out of an assessable vocabulary.
> 
> "This level of unpredictability assumes that a potential attacker knows
> that Diceware has been used to generate the passphrase, knows the
> particular word list used, and knows exactly how many words make up the
> passphrase." - https://en.wikipedia.org/wiki/Diceware
> 

You seem to be misunderstanding that statement.
The minimum entropy is calculated _assuming_ that the attacker knows 
that you are using diceware *and* which word list you used.
That is part of the threat model.

Think of it this way: In a normal password, you have an alphabet of ~80 
chars and use 10-15 of them.
In diceware, you have an alphabet of >= 8K words and use at least 6 of 
them.

So a diceware passphrase of appropriate (word) length has the same 
entropy as a password with equivalent (char) length, but the diceware 
passphrase is much easier to remember.


More information about the arch-general mailing list