Subnostr

nostr:npub15fkerqqyp9mlh7n8xd6d5k9s27etuvaarvnp2vqed83dw9c603pqs5j9gr I think with the restrictions of valid grammar, the number or meaningful English sentences is actually very small compared to random character combinations even with many words. Even if there are billions of them, that's no problem for hashcat.

d 2y ago

I don't think so. If you consider words as symbols, sure, some of them only have a few possibilities. But some have tens of thousands of possibilities. How many nouns are there in the English language? How many verbs?

And the assumption that the sentence will be strictly perfect English is an extremely poor one to begin with.

And the attacker doesn't have any knowledge that they should be using such a rule set. They just know it's a string of characters. In the case of my example, it's 63 characters. They don't even know how long it is.

It would be stupid for a password policy to be "You have to use a password that strictly conforms to the rules of written English and is between 30 and 40 characters long" but nobody is suggesting doing that, and that's not what the anti-phrase claim itself makes about the security of a phrase.

Reply to this note

Please Login to reply.

Discussion

Fe₂🦀₃⋅H₂🦀 2y ago

nostr:npub15fkerqqyp9mlh7n8xd6d5k9s27etuvaarvnp2vqed83dw9c603pqs5j9gr see my response to enzymical. If the sentence is mutated in some weird way, you're probably right, but if the sentence has ever been spoken by any human in history it will be trivial to find it with a modern computer.

I don't think the average person is creative enough to NOT pick one of those so it would be a very bad security policy if you're talking about a commercial product.