At 11:11 PM 11/14/95, Ted Cabeen wrote:
Do repeated words in a PGP passphrase make the pass phrase less secure than a passphrase without any repeated words? And on the same note, do repeated letters in a UNIX password make that password easier to break? I can't seem to find anything in my books on cryptography that mention this. Thanks.
More of an information theory question than a crypto question. There are no simple answers to this question, but some examples will help: The password "foo" is not very good, and "foofoo" is only slightly better. And "foofoofoo" is slightly better, and so on, to a point. But "foofoo....foo" is not N times better than a single "foo," because the _pattern_ is simply desribed: "repeat "foo" N times." Thus, the information content or entropy of "foofoofoo....foo" is not N times greater than the entropy of "foo." A some dictionary attacks which would trivially find "foo" will not find "foofoo," or "foofoofoo," etc., so this could be a great help. More sophisticated dictionary attacks may of course take the 30,000 or so most common names, words, places, and then do various permutations, reversals, repetitions, etc. So this is why there is not likely to be a simple answer to your question. Repeating words in a passphrase can make the passphrase easier to remember (such as "thequickquickbrownfox") and make certain kinds of attacks harder, but with not as much of an increase in entropy at the increased number of raw characters might otherwise suggest. Other "heuristics" (simple rules of thumb) for passphrases are contained in the PGP documents, and in numerous other places: avoid names, add nonstandard English keyboard characters liberally (even if using real words), etc. The "best" passphrases, it almost goes without saying, are the longest and most "unpredictable," so that "7f#qp)djQ10hB%3t+1?U4SVp5" is much superior to "%foo%foo". In the real world, where passphrases must be memorized, "long and random" is an elusive goal, which has to be weighed against the risk of other attacks (such as capturing keystrokes with a sofware monitor, or from afar with a van Eyk antenna, etc.). Me, I use a nonsense phrase which has meaning to me, with a few garbage characters added to confuse things further. I don't think my passphrase is the weak link. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."