0

My question is, is it more reliable having a password that is composed by words like FootballPractice more secure than using a password that has only 2 or 3 bits less, for example FootbalPractic , my assumption is that the latter although it has less Entropy because it has 2 bits less than the other, is more secure because it is protected from dictionary attacks, if i made my question unclear let me know and i will edit to try to explain it better

Magmagod
  • 105
  • 4
  • 1
    Don't assume that a few typos protect you from a dictionary attack. Any decent dictionary attack will include typos and common substitutions. – S.L. Barth Feb 22 '16 at 15:58
  • Well i thought this up just because i have a real hard time remembering random passwords and i'm not exactly creative when creating passwords, normally i use a password manager, but i still need a reasonable master password to protect the others, i thought about doing something similar to this so i decided to come ask – Magmagod Feb 22 '16 at 16:01
  • Check out [diceware](http://world.std.com/~reinhold/diceware.html). Each word gives you an additional 13 bits of entropy. – SilverlightFox Feb 22 '16 at 16:06
  • @Magmagod Ah, now I understand the problem. There is the famous [XKCD scheme](https://xkcd.com/936/). We have a page about it [here](http://security.stackexchange.com/questions/62832/is-the-oft-cited-xkcd-scheme-no-longer-good-advice); you may find that page useful. – S.L. Barth Feb 22 '16 at 16:08
  • While longer passwords tend to have higher entropy its not always true -- it depends on the mechanism used to generate the password. E.g., choosing a common 8-character password like `password` (takes up 8 bytes in ASCII) has a very low entropy you could find this on a list of the top 16 passwords so about 4 bits of entropy (2^4 = 16). Meanwhile `Bx.hC&V` a 7-char password generated by randomly selecting one of 94 printable characters (97^7 = 64847759419264 ≈ 2^45.9 ) has about 45.9 bits of entropy. Modifying words in your passphrase by truncating a letter adds a couple bits of entropy. – dr jimbob Feb 22 '16 at 16:26
  • 1
    However a password like `FootballPractice` or `FootbalPractic` is still incredibly weak (two random words chosen from a reasonable sized dictionary generally have ~13 bits of entropy), so at best `FootballPractice` would be originally be say 26 bit words, except the phrase is meaningful and likely not random, so its much lower entropy less than this. Even if you added say ~6 bits of entropy by truncating letters, it's still within the regime of online brute-force attacks. A password's entropy is the base-2 logarithm of the number of possible passwords it was chosen from. – dr jimbob Feb 22 '16 at 16:35
  • CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN – SDsolar Jun 02 '17 at 02:44

1 Answers1

2

Passwords do not have entropy, only the method used to generate the password has entropy.

If the attacker knows you use a wordlist then they can use the same wordlist to construct their guesses. If you take off the last letter of each word in your generation list, and the attacker knows this, they simply take off the last in theirs. The entropy would be exactly the same.

Your technique may enable your chosen passwords to go under the radar in a non-targeted dictionary attack, however in any targeted attack they may discover how you generate your passwords and alter their wordlist accordingly (e.g. from other breaches that may reveal your password when it has been cracked, from public website posts, etc).

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • So what you are saying is, this method is _usable_ if i don't expect to be targeted in the websites i am using them at? – Magmagod Feb 22 '16 at 15:58