Consider using diceware instead of 0-9a-zA-Z., for passwords #231
Description
Right now we use we choose 9 characters from these 64 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789., characters to generate passwords for new users. While decently secure at 18.01 quadrillion (18,014,398,509,482,000) combinations and 54 bits of entropy, these are hard to type and even more likely to be impossible to remember.
Instead, we might consider implementing diceware for password generation. A 4 word passphrase would have similar strength at 3.65 quadrillion (3,656,158,440,062,976) combinations and 51.70 bits of entropy, but be much easier to type and to remember.
Examples
Here's a comparison of 3 passwords from the current system, and 4 from a possible future system, assuming we addopted Swahili:
| 9 Random Characters | 4 Random Words |
|---|---|
IoVz,gQFr |
tekeleza-baraza-fuata-zuia |
Ww98ieBs1 |
usalama-kwa-ambayo-hizi |
hF.p8Ka6W |
ingi-timu-maendeleo-sana |
Maths used:
R = number of possible characters/words
L = number of chosen characters/words
^ = exponential
7666 = R for diceware (possible words)
64 = R for current (possible characters)
Possible combinations = R^L (in a spreadsheet: =POWER(A3,B3))
Entropy = log2(R^L) (in a spreadsheet: =LOG(POWER(A3,B3),2))