Three words passwords

Mr. Adams
2012-09-08
2012-11-20
  • Mr. Adams
    Mr. Adams
    2012-09-08

    Hi,

    I read in several article lately that a password made of three different words is much more secured than a password made of 8 or 10 random characters password (i.e. xH7_hfY3&).

    Whichever is indeed a better way… wouldn't it be nice if KeyPass (a lovely lovely software btw) would allow a user to generate a password through the three-words method?

    Or maybe it's out there and I'm not aware?

    Thanks

     
  • Julian Taylor
    Julian Taylor
    2012-09-08

    three words is not particularly secure, you should use more than 5 nowadays unless you have a very large wordlist.

    it would indeed be neat if keepass had support for wordlists in the password generator, e.g. the diceware wordlist:
    http://world.std.com/~reinhold/diceware.html

     
  • Mr. Adams
    Mr. Adams
    2012-09-09

    Ok, three or five or seven as they suggest in the link you provided is  the easy part.

    Come up with a wordlist, I'm guessing, shouldn't be that difficult.

    http://wordlist.sourceforge.net/ is one place to get it.

    Well, already one person supporting my idea. What's next?:)

     
  • Paul
    Paul
    2012-09-10

    Length is king for password security. A password of 27 "a" characters would be much more secure than three words of 5 characters - at that length you need to test all shorter possibilities first, unless you know that you only need to test 27 character passwords. You can choose 3 easy to remember words and then pad around them to generate the length.
    e.g. Three''''''''''''''''easy[[[[[wordS11111

    cheers, Paul

     
  • Mr. Adams
    Mr. Adams
    2012-09-10

    Can I generate these type of passwords "Three''''''''''''''''easy[[[[[wordS11111" with Key Pass? Set 3 words and ask Keypass to generate the random characters around them?

     
  • Paul
    Paul
    2012-09-11

    KeePass doesn't have a word generator, so no. It's easier to make these yourself because you can use words you remember and pad so it works for you.

    cheers, Paul

     
  • Julian Taylor
    Julian Taylor
    2012-09-11

    Length is king for password security. A password of 27 "a" characters would be much more secure than three words of 5 characters - at that length you need to test all shorter possibilities first, unless you know that you only need to test 27 character passwords. You can choose 3 easy to remember words and then pad around them to generate the length.
    e.g. Three''''''''''''''''easy[[[[[wordS11111

    this is dangerous, while length is the most important criteria for passwords, the randomness is crucial too.
    if the characters are not chosen randomly they do not provide the full 6-7 bit of entropy.
    password guessers do know about these types of patterns and are going to employ them before starting to randomly search.

    say you use three random words from a wordlist of about 4000 words and pad it out with 3 random characters repeated randomly up to 10 times, this gives you an entropy of maybe 70 bit, a decent value but you might as well use just 6 words for the password, its harder to remember for many people.