8

Why do we bother with dice ware? Is rolling dice and looking up in a printed book (or using a digital analogue) a string of N random words any more secure than simply repeating a word or two N times?

According to one online entropy calculator, at one hundred trillion guesses per second, it'd take 1.24 hundred trillion trillion centuries to crack my delicious password. And it's super easy to remember. And I don't need dice. Even my grandma could have a memorable and strong password: "type tophat seven times".

I do realize that a formula-based password violates Kerckhoff's Principle, and that using a word relevant to a target would strengthen a targeted attack, but in general terms, is there any theoretical security difference between random words of minimum total length T versus one word repeated sufficiently to reach length T?

bishop
  • 833
  • 6
  • 10
  • 1
    Related question: http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase (which is the most upvoted question here, BTW) – dr_ Aug 13 '15 at 07:06
  • 1
    I think this says more about the poor state of entropy estimates than about the strength of that password. zxcvbn estimates the entropy to be 90.749, but that is only because it doesn't recognize the repetitions. If we just sum up the estimated entropy of each word and the comma, and add another 6 bits because we don't know which of the two words was used in each position, we get an estimate of only 10.4+9.8+5.9+6 = 32.1 bits of entropy. – kasperd Aug 13 '15 at 11:09

2 Answers2

5

Once you say the magic words "targeted attack", I'm not sure that theory has much to say on the topic.

The whole idea of password entropy only makes sense against a generic dictionary / rainbow table attack. Basically, the online entropy estimators are trying to estimate how far an attacker will have to delve into their rainbow table before they find your password. These are based on publicly available rainbow tables.

As you say, only a randomly machine-generated password [1] [2] stands up to Kerckhoffs's principle. As soon as an attacker decides to launch a targeted attack and study your password habits, the entropy value provided by those online estimators no longer makes any sense. By sniffing your TLS packets, they can tell the length of your password, by looking up your email address in databases of leaked passwords [1] [2] they can tell what patterns you like to use for your passwords, etc. They can use information like that to build a targeted rainbow table or brute-force dictionary against which your password will have a significantly lower entropy.

Bottom Line: online entropy estimators are based on what researchers think attackers are using for rainbow tables in a generic attack, and apparently ham,ham,ham,bacon,bacon,ham stands up fairly well against that. Any estimate of how well it would stand up against a actual targeted attack is pure speculation.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • 2
    I've created a new question regarding your statement that it is possible to tell the length of a password by sniffing TLS packets: http://security.stackexchange.com/questions/96696/is-it-possible-to-guess-the-length-of-a-password-by-sniffing-tls-packets. – Michael Aug 13 '15 at 11:26
1

there isn't fiable entropy calculation for password determined without true random process

we can calculate entropy of random generated method : choose 5 words in a set of 1024 ( by piece roll) entropy : 5*log2(1024) = 50

for every part which doesn't use random generation we can only calculate entropy when following a specific method.

entropy estimation of your password with knownledge of the generation method

  • 1 random word : 12 (probably less if take at random in a book)
  • 1 other close word : 3
  • number of repetition : 3
  • choose word 1 or word 2: 6

entropy : 24

time to reverse at a rate of 1 billion hash by second : <1second

in fact probably nobody will ever use this generation method to reverse a hash but someone could and this make your password obscure but not secure this doesn't provide any assurance on your security.

but in general terms, is there any theoretical security difference between random words of minimum total length T versus one word repeated sufficiently to reach length T?

random words : time for obtain the password = (words pool)^(number of words)

one word repeted : time for obtain the password = words pools + time to figure out the generation method unfortunaly you can't measure this reliably