Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Passphrase
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Example methods== One method to create a strong passphrase is to use [[dice]] to select words at random from a long list, a technique often referred to as [[diceware]]. While such a collection of words might appear to violate the "not from any dictionary" rule, the security is based entirely on the large number of possible ways to choose from the list of words and not from any secrecy about the words themselves. For example, if there are 7776 words in the list and six words are chosen randomly, then there are ''7,776<sup>6</sup> = 221,073,919,720,733,357,899,776'' combinations, providing about 78 bits of [[entropy (information theory)|entropy]]. (The number ''7776'' was chosen to allow words to be selected by throwing five dice. ''7776 = 6<sup>5</sup>'') Random word sequences may then be memorized using techniques such as the [[memory palace]]. Another is to choose two phrases, turn one into an [[acronym]], and include it in the second, making the final passphrase. For instance, using two English language typing exercises, we have the following. ''The quick brown fox jumps over the lazy dog'', becomes ''tqbfjotld''. Including it in, ''Now is the time for all good men to come to the aid of their country'', might produce, ''Now is the time for all good tqbfjotld to come to the aid of their country'' as the passphrase. There are several points to note here, all relating to why this example passphrase is not a good one. * It has appeared in public and so should be avoided by everyone. * It is long (which is a considerable virtue in theory) and requires a good typist as typing errors are much more likely for extended phrases. * Individuals and organizations serious about cracking computer security have compiled lists of passwords derived in this manner from the most common quotations, song lyrics, and so on. The [[Pretty Good Privacy|PGP]] Passphrase FAQ<ref name="passphrasefaq">{{cite web |date=1997-01-13 |author=Randall T. Williams |title=The Passphrase FAQ |url=http://www.iusmentis.com/security/passphrasefaq/ |access-date=2006-12-11}}</ref> suggests a procedure that attempts a better balance between theoretical security and practicality than this example. All procedures for picking a passphrase involve a tradeoff between security and ease of use; security should be at least "adequate" while not "too seriously" annoying users. Both criteria should be evaluated to match particular situations. Another supplementary approach to frustrating brute-force attacks is to derive the key from the passphrase using a [[key derivation function|deliberately slow hash function]], such as [[PBKDF2]] as described in RFC 2898. {{main|Key stretching}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)