1 Non-English characters
It's better not to mention non-English characters, there can be potential incompatibilities between clients... Or we need to test and make sure all clients handle characters exactly the same way. --NxtChg (talk) 13:06, 1 February 2014 (MST)
- Good point. I'll comment it out for now, will put in back in after we can test the clients. Zahlen (talk) 12:09, 2 February 2014 (MST)
2 Describing entropy to the layman
I'd like to, as much as possible, keep this article accessible to the layman. Instead of complex terms like "more bits of entropy" or "greater Kolmogorov complexity", I'm going to go with "harder to describe", and (more simplistically) "less readable". What do folks think? -Zahlen (talk) 12:16, 2 February 2014 (MST)
3 Passphrases consisting of randomly generated words
A few people have suggested them as easy-to-remember, yet strong passphrases. I strongly disagree with them being easy to remember. Phone numbers are already hard enough to remember with only 10 possibilities per digit.
An often quoted source is the famous xkcd comic. But that comic is dated, a 4 word passphrase is no longer safe. More words are hard to remember because human memory records things in limited "chunks". To quote from the article: 'Miller wrote that "With binary items the span is about nine and, although it drops to about five with monosyllabic English words,..."'
Diceware is interesting in that it doesn't involve computer generation, and the webpage does try to explain why a certain strength is needed. I really like how the wordlist is presented with the corresponding dice numbers. And, my math senses like how nice a number 6^5 is. Though I think it gets too paranoid at the end about closing curtains and such...
But if you examine the wordlist closer, you'll see it's not well chosen. Consider the sample passphrase given on the page: "cleft cam synod lacy yr". What the heck is 'synod'? Will people remember 'lacy' or 'lacey', 'yr' or 'year' or 'your'?
I do agree such passphrases are much easier to type than passphrases consisting of random chars. This should still be an option we present to readers, but I'm against making it the most prominent one. --Zahlen (talk) 13:17, 2 February 2014 (MST)
4 Password generating programs
- You may do better than software, but most humans are much much worse than computers when generating random passwords with real entropy. Omosit (talk) 11:51, 3 February 2014 (MST)
- I don't simply mean trust in terms of the probability distribution of chosen chars/words. I also mean trust in terms of security. Open source doesn't guarantee the software is safe, it just means it's reviewable. Reviewing requires time, during which early users may be compromised.
5 30 Characters
30 Characters aren't needed, and suggesting 50 to 70 characters, is outright nonsense.
- 30 characters aren't needed, if all the chars are chosen uniformly and at random. If not, e.g. an 8 word passphrase will most likely exceed 30 chars.
- I agree 70 is overkill (unless you use spaces between words?). Depends on how the words are chosen (seems difficult to educate the user here), and how rainbow table construction proceeds in future (an unknown). Very hard to pin down a safe length. I did say that the sample passphrases past the 47 char are if you want to be 'super safe', but currently that's not presented clearly to a reader. Reformatted the section to try to reflect this. --Zahlen (talk) 14:20, 3 February 2014 (MST)