Words are the least secure way to generate a password of a given length because you are limiting your character set to 26, and character N gives you information about the character at position N+1
The most secure way to generate a password is to uniformly pick bytes from the entire character set using a suitable form of entropy
Edit: for the dozens of people still feeling the need to reply to me: RSA keys are fixed length, and you don’t need to memorize them. Using a dictionary of words to create your own RSA key is intentionally kneecapping the security of the key.
so you are saying 44 bits of entropy is not enough. the whole point of the comic is, that 4 words out of a list of 2000 is more secure then some shorter password with leetcode and a number and punctuation at the end. which feels rather intuitive given that 4 words are way easier to remember
If you know the key is composed of English language words you can skip strings of letters like “ZRZP” and “TQK” and focus on sequences that actually occur in a dictionary
Words are the least secure way to generate a password of a given length because you are limiting your character set to 26, and character N gives you information about the character at position N+1
The most secure way to generate a password is to uniformly pick bytes from the entire character set using a suitable form of entropy
Edit: for the dozens of people still feeling the need to reply to me: RSA keys are fixed length, and you don’t need to memorize them. Using a dictionary of words to create your own RSA key is intentionally kneecapping the security of the key.
Good luck remembering random bytes. That infographic is about memorable passwords.
You memorize your RSA keys?
you memorize the password required to decrypt whatever container your RSA key is in. Hopefully.
Sure but we aren’t talking about that
I think this specific chain of replies is talking about that actually… though it is a pretty big tangent from the original post
“can you string words to form a valid RSA key”
“Yes this is the most secure way to do it”
“No, it’s not when there is a fixed byte length”
-> where we are now
the direct chain I can see is
“can you string words to form a valid RSA key”
“I would hope so, [xkcd about password strength]”
“words are the least secure way to generate random bytes”
“Good luck remembering random bytes. That infographic is about memorable passwords.”
“You memorize your RSA keys?”
so between comments 2 and 3 and 4 I’d say it soundly went past the handcrafted RSA key stuff.
so you are saying 44 bits of entropy is not enough. the whole point of the comic is, that 4 words out of a list of 2000 is more secure then some shorter password with leetcode and a number and punctuation at the end. which feels rather intuitive given that 4 words are way easier to remember
No im saying if your password size is limited to a fixed number of characters, as is the case with RSA keys, words are substantially less secure
Not if you’re considering security gained versus difficulty of remembering.
You don’t memorize RSA keys
Sounds like a good point, but claiming that “Words are the least secure way to generate a password 84 characters long” would be pointless.
and some people will try to just hold a key down until it reaches the length limit… which is an even worse way to generate a password of that length
That’s why you need lots of words. (6) If you combine that with a large word list it gets very secure.
you are at the same time right, but … wooosh.
There is no point in a password cracking attempt during which the attacker knows the character at N but not the character at N+1
If you know the key is composed of English language words you can skip strings of letters like “ZRZP” and “TQK” and focus on sequences that actually occur in a dictionary