-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
random delimiter support #34
Comments
Hi @anarcat ! Your proposal sounds interesting, but I am still not sure, I understand it correctly. Also your entropy computations look a bit optimistic to me (but I might be wrong, of course). Could you give an example of a cmdline call (as you would imagine it) and the desired output? Thank you very much! |
hi! my entropy calculations do not take into account the word patterns, of course. they are therefore inaccurate in this specific case, but if we treat the password generator as a black box and consider only the character space and length, they should be fairly accurate. i would posit that the rise in entropy would be similar if we did the proper calculation, but i could be wrong about that. the commandline could be a simple binary flag, disabled by default. normal operation:
with the feature enabled:
Maybe the argument could simply have a default of characters to choose from. We could abuse the
With the new feature:
I am not sure exactly what the commandline usage should be, to be honest... |
Hey @anarcat , thank you very much for your explanations! I guess I can understand your proposal better now and would like to do some entropy caculations over the weekend. Frankly, I am not completely convinced yet. The main problem is: we must make sure, this new randomness should be possible with real dice as well. All operations of Then, we have the "special chars" already in the API and I think we must compute, whether the entropy advantage of 'random-delimiter' would overall be really that huge without creating too much confusion otherwise. Concerning delimiters there are even security considerations to be taken into account, but nothing, I guess, one could not solve :) Anyway, please give me two or three days to think it over and I will come back to you then, okay? For now thank you very much for your proposal! |
Has this been implemented? |
Hi @anarcat and @haboutnnah ! My apologies for the late answer - I got no good excuse. I am still a bit reluctant about implementing this feature. Basically, generating an extra password as delimiter could be easily done on the shell by something like:
Generating delimiters with certain restrictions (like: using chars from a certain set only, etc.) would be more complex, but still be doable without a respective diceware feature. Apart from this, introducing such a feature would mean to make computation more complicated and usage more confusing. I'd like to keep diceware as plain and simple as possible. Last not least |
Without knowing this feature request, I'v implemented this in #61. |
while it's nice that you can add an arbitrary delimiter to generated passwords, it would be even better if this software would have the (optional) feature to inject random symbols and digits as separators.
by default, the search space of generated passwords is quite large, but that's mostly due to the length of the password. while one can't assume that the password to be cracked will be all letters in the general case, that means the password generation routine becomes yet another "something you know" and allows the attacker to reduce the search space significantly once they know you use this software.
allowing for random passwords would force attackers to not limit themselves to 52 characters. adding numbers and symbols to that space would add about 20 bits of entropy to every password, at little cost to the human memory.
thanks for your consideration!
The text was updated successfully, but these errors were encountered: