Subnostr

I've never understood this claim but I've seen it quite a bit

like, maybe this could be an extremely specific attack on an individual known for some phrase, but otherwise, you're not doing a successful dictionary attack on a long password just because it's a sentence in more or less proper english

even if you claim there's some loss of randomness due to the patterns of letters and spaces -- which is true -- that's more than offset by how easy it is to remember and type out an *extremely long password*

"and so mary said, bring me a cup of orange juice with my toast"

good fucking luck pal

Fe₂🦀₃⋅H₂🦀 2y ago

nostr:npub15fkerqqyp9mlh7n8xd6d5k9s27etuvaarvnp2vqed83dw9c603pqs5j9gr I think with the restrictions of valid grammar, the number or meaningful English sentences is actually very small compared to random character combinations even with many words. Even if there are billions of them, that's no problem for hashcat.

Reply to this note

Please Login to reply.

Discussion

d 2y ago

I don't think so. If you consider words as symbols, sure, some of them only have a few possibilities. But some have tens of thousands of possibilities. How many nouns are there in the English language? How many verbs?

And the assumption that the sentence will be strictly perfect English is an extremely poor one to begin with.

And the attacker doesn't have any knowledge that they should be using such a rule set. They just know it's a string of characters. In the case of my example, it's 63 characters. They don't even know how long it is.

It would be stupid for a password policy to be "You have to use a password that strictly conforms to the rules of written English and is between 30 and 40 characters long" but nobody is suggesting doing that, and that's not what the anti-phrase claim itself makes about the security of a phrase.