Proposal - memorizing simple passwords which are hard to crack

[grarpamp]

Oops, wrong table, actually...

The range [a-z0-9] yields...
8c = 41b , 13c = 64b , 16c = 80b ... 25c = 128b

The range of 95 printable chars yields...
8c = 52b , 10c = 64b , 13c = 80b ... 20c = 128b

Obviously peoples's 8 char constructs are often
worse than that, and few users will remember the
20+ random chars required to match 128bit crypto.

/usr/dict/words has roughly 220-250k entries, which is
a much larger range that people think is great since
now only 8 things (not 20+) are needed to beat 128 bits...
8w = 128b , 15w = 256b

Until they realize that memorizing even 8 drafted
at true random from that can potentially be difficult...

f=words ; for w in $(jot 8 1) ; do echo -n "$w:" ; l=$(jot -r 1 1 $(wc
-l $f | awk '{print $1}')) ; grep -n . $f | grep "^$l:" ; done | sed
's,:.*:,:,'

1:philologue
2:hypermakroskelic
3:misogynic
4:Platycercus
5:unapprehensiveness
6:stare
7:Hippolytidae
8:henotheism

So they start trying to cut the range down in various ways,
often by regenerating until they get something they like which
is really composed of a much smaller virtual brain range,
or by ways like using from only the 4 to 8 char word size...

f=words ; for s in $(jot $(wc -L $f | awk '{print $1}') 1) ; do echo
-n "$s:" ; egrep "^.{$s}$" $f | wc -l ; done | grep '^[4-8]:'

[snip]

Which leaves a range of roughly 85k words, which when combined with
other cuts "sensemaking" and "memory easing", will remove available
entropy, thus driving up the word count needed to match 128 bit equivalence.

12 words randomly chosen from the 1700 most popular words
will yield 128 bits, 13 from 1000, 11 from 3200, 8 from 66000, etc.

It's assumed no one has ever cracked 128-bit anything,
so less than that might still be available, for lifetime purposes,
by seeing if whatever has been cracked to date, plus a nice safety
margin of say 32 bits or whatever bumps it out beyond need.

> Yes, understand, but remembering a 'story' is IHMO the same
> as remembering a poem we've learned at school.

Not necessarily because to actually achieve the expected entropy
the "made-up story" must be unlimited to choosing words which
can represent the random chars, from a sizable range, which can
yield a degree of nonsense. Human language is not random, it is
constrained to using only words and structures that make sense,
thus we have books, and to lesser sense art such as poem, lyric, etc.

Then there are...
https://www.youtube.com/watch?v=9X0F1Qjn0Ac Things you never see
And things Ratboi says like...
"As soon as I put this hot poker in my ass I'm going to chop my dick off!"
But since he already said and did that, best not use it as a passphrase.

And now with AI able to assemble words according to human
language structures, and dump them through ASIC powered
crack engines, relying only on simplistic made-up stories
might not be sufficient either. For example, if your respective
substitution range is only 95 words, you need 20+, same
as if your story is kinder-school level.

Beating the machines requires modelling combinations of a
variety of elements and calculating estimates of the real entropy
expected from what methods are being used.

Quantum or not, entropy is hard for the human brain to manage.
A few people have more luck than others...

https://www.recordholders.org/en/list/memory.html

And after a good run in with Dr. Rubberhose,
you might not even remember your name.