passphrase or random characters the safest

[Per Tunedal Casual]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 23:13 2005-05-31, Per Tunedal Casual wrote:
 >`---------------------------------------------------------------------
 >--
 >-----BEGIN PGP SIGNED MESSAGE-----
 >Hash: SHA1
 >
 >At 20:58 2005-05-30, you wrote:
 > >"Roscoe" <eocsor at gmail.com> wrote:
 > >
 > >> Lets say there are about 100000 words in your dictionary. Lets
 > >> also
 > >> say there are about 100 different characters on your keyboard.
 > >>
 > >> Now for password of random characters we would need:
 > >> log(340282366920938463463374607431768211456)/log(100) 20 chars.
 > >>
 > >> For a password of random words we would need:
 > >> log(340282366920938463463374607431768211456)/log(100000) 8 words.
 > >>
 > >> So I'm going to have to disagree with your 5 words is better then
 > >> 20
 > >> letters[1]. Even if we use a 500000 word dictionary (eg: the
 > >> number in
 > >> the OED) then thats still 7 words.
 > >>
 > >> Now, thats with randomly picked words. If you want to have some
 > >> coherence to your string of words then thats only going to
 > >> increase
 > >> the number of words needed.
 > >
 > >If you want to use words, then I would suggest that you select them
 > >from
 > >different languages. Then the attacker will have to use a very
 > >large
 > >dictionary, one containing all words from all languages, if she or
 > >he
 > >don't know or can't guess from witch languages you have selected
 > >your
 > >words. This kind of passphrase will still be relatively vulnerable
 > >to a
 > >brute force attack, since the attacker can limit the characters
 > >used in
 > >the attack to letters, so throwing in a few special characters
 > >between the
 > >words is a good idea.
 > >
 > >Oskar
 > >
 >
 >
 >Thank you Oskar for this idea - it's new to me. Increasing the search
 >space
 >by using several languages is a very easy way to improve the security
 >of a
 >passphrase or a collection of random words. Some one who wants to do
 >some
 >calculations? What about say 1, 2, 3, 4 and 5 languages. How many
 >random
 >words are needed to match a 128 bit key?
 >
 >Per Tunedal
 >
I will answer my own question:

Diceware contains 7776 short English words, abbreviations and
easy-to-remember character strings.

If you use 1 language:
log2(7776)=log(7776)/log(2)=3,8908/0,3010=12,92 bits
128/12,92=9,9 words = 10 words

If you use 2 languages:
log2(2*7776)=log(15552)/log(2)=4,1918/0,3010=13,92 bits
128/13,92=9,9 words = 10 words

If you use 3 languages:
log2(3*7776)=log(23328)/log(2)=4,3679/0,3010=14,51 bits
128/14,51=8,8 words = 9 words

If you use 4 languages:
log2(4*7776)=log(31104)/log(2)=4,4928/0,3010=14,92 bits
128/14,92=8,6 words = 9 words

If you use 5 languages:
log2(5*7776)=log(38880)/log(2)=4,5897/0,3010=15,25 bits
128/15,25=8,4 words = 9 words

Three languages and 9 words is the optimal choice.

The creator of Diceware suggest a password corresponding to only 64
bits as a practical choice:
"Of course, if you are worried about an organization that can break a
seven
word passphrase in order to read your e-mail, there are a number of
other
issues you should be concerned with -- such as how well you pay the
team of
armed guards that are protecting your computer 24 hours a day."

64 bits would give (after correcting calculations):

10 random characters including special characters.
11 random CAPS, small characters (a-z) and numbers (0-9).
13 random small characters (a-z) and numbers (0-9).
14 random small characters (a-z).
20 random numbers (0-9).
5 random Diceware-word (one language)
An English phrase with 54 words.

That's a convenient guide, isn't it!

Per Tunedal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Vad är en PGP-signatur? www.clipanish.com/PGP/pgp.html

iD8DBQFCoyXUpPsTvNtsBX8RArjEAJ9OrKxtEbbGNKpfTdUBlJH9ieqvLgCdG2UH
6avzsQ4Ooks01djtsjgGW6E=
=cfch
-----END PGP SIGNATURE-----