Score:0

Generating Complex Passwords from (Non-)Memorable Phrases - Need Advice

mg flag

I've been thinking about creating strong and unique passwords for my online accounts, but I also want them to be memorable. I've come across the idea of using a memorable passphrase as the basis for a complex password generation. Specifically, I'm considering hashing the passphrase to generate the complex password, such as hash function like SHA-256 or bcrypt to convert the passphrase into a fixed-length hash. This hash will serve as my complex password, usually for PGP keys or encrypted database for other passwords.

Example: input > MD2 > Base85 (=password)

  • Input passphrase: password
  • MD2: f03881a88c6e39135f0ecc60efd609b9
  • Base85: AhZ##3&[email protected]@q.DNAS,I20KET&

That gives entropy of 210 bit. Yet, the input is extremely poor.

I'd love to hear your thoughts and any advice you might have on this approach. Is it a good idea for creating strong passwords that are also easy to remember in such a way having a scheme? Are there any security concerns or best practices I should keep in mind, ora any other tools for that purpose?

Eugene Styer avatar
dz flag
How is this better than existing password managers?
Score:0
nr flag
J_H

That gives entropy of 210 bit.

No.

Suppose the enemy knows or can usefully assume that Alice sends only 0 or 1 after flipping a fair coin, and such a flip is channel-encoded in ASCII as either

  • 0: cb530c5177b16f897d9e1f1ee1ff5a0d5e1b7aae8b313746d61d21b7 or
  • 1: a5d8adf6032b5f333d9cd6696dd0c520b4dca7f0c3238aa8de33e87c

Did Alice send 56 × 8 == 448 bits of entropy? Or 56 × 4 == 224 bits of entropy? Certainly not. Alice sent a single bit's worth of entropy, from which the remaining channel bits can be trivially derived.

If the attacker can usefully assume that Alice only chooses 8-char lowercase passwords that appear in Webster's dictionary, then we certainly infer that there is less than 210 bits of entropy. Webster's contains far fewer than 2 ^ 210 8-char words.


Prefer the SHA-3 family of hashes over MD2.

https://datatracker.ietf.org/doc/html/rfc6149#section-7 published 2011

MD2 is clearly showing signs of weakness, and implementations should strongly consider removing support and migrating to another hash algorithm.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.