Re: Noob dumb question (extending emacs)

[Emanuel Berg]

Michael Heerdegen wrote:

>>>     48 ln(2)
>>> l = -------- ~ 8.13.
>>>      ln(60)
>>>
>>> That would mean that already for a length of 9 only a small
>>> fraction of passwords are computable.
>>
>> Okay, why do you say/how do you know that?
>
> Anything besides used entropy is deterministic.
>
> If you initialize the seed with a certain entropy, it means
> that you randomly get one seed out of N possible (known)
> seeds. In our case N = 2^31 (or something like that).
>
> To understand the reasoning behind the following it can help
> to assume a small N, e.g. N=2, N=10 or N=100, and then think
> about what fundamentally changes if N is larger (actually
> nothing, you only need accordingly more tries to guess).
> This is all quite trivial, only the large numbers involved
> cloud a bit what is going on.
>
> Ok. Those possible seeds are known (computable) to everyone:
> You start with a random seed out of a public list of
> N seeds.
>
> With each of these seeds, `random' will generate one out of
> N possible predefined sequences of numbers. With the
> exception: If N is larger than the number of possible
> different results of `random' (a finite number of course),
> let's name it "M", then you must set N = M in the
> following considerations.
>
> So if you use a publicly known deterministic algorithm using
> `random', your algorithm will generate one out of N possible
> publicly known password sequences for each call.
>
> Security of these passwords stands and falls with the size
> of N:
>
> Say your algorithm calculates passwords using an alphabet
> consisting of a number b of letters, e.g. b=60 for small and
> capital letters plus some special characters. Then the
> entropy used is enough to generate pseudo-random passwords
> of a length l when b^l ~ N (where "~" means "is
> approximately").
>
> Why? If l is smaller, b^l < N, your algorithm would often
> calculate the same password for different seeds, and you
> would waste a portion of the initial randomness (entropy).
>
> If l is larger, b^l > N, the passwords per se are stronger
> in theory but... that doesn't matter if you publish the
> algorithm that computed the passwords (or one can guess that
> algorithm). Then I still have to try only N passwords, not
> more than when a smaller password length is used. One could
> say that those longer passwords contain redundancy: a part
> of those password strings is determined by the rest of the
> password string and doesn't offer additional security.
>
> The situation would be similar to posting on your homepage:
>
>   "Any of my accounts uses a password out of this list:
>
>  { "nx4BgzrJmZq0+!YPp<O|]8k&Q"<M2-`<nSV#|CH-",
>    "%d~8bqv1j^rl51\6(9#/d[!D91_X_H/=`|&S]|SQ",
>    ":2A]sw=V;--q)RKLOIdoxd`9B+4#Q5[WY\8yFNl",
>    "?ljGuo\-;VF"9;F$MgU~uP|Ztk$!!9kxAsv~,Lv?",
>    ">%M\s=>!xHP9|EMEzR[&Wu&$,\]lS`fN1y:Bc!Ey",
>    "igbf^Hlcxyg,A0MBa>d:!,}{x"j%?Qi^,P<YDP-|",
>    "/iGww)fjE:*$:uv,$>)M=M?|UF2DZ4|>*Mx"&>(;!,
>    "EzIRpdH|;R^1iTAG'*P5LdoJ5sS_Y2kN#S:{S_a\",
>    "rLBtPlQ6Unml'5`+B*l^LA}8>/8C}=I)1(']Zqz+",
>    "Zt.J$fP<$zU)^AH}<ymP-cNkwz%8#1=+A]<1XON!" }
>
>    Those are all very strong passwords, and the method I use
>    to choose one of them randomly is so clever and uses so
>    much entropy that it's impossible to guess it.
>    Try it, Mentalist!"
>
> But since all of those possible passwords are publicly known
> the situation is not better than using a random password out
> of {"0", "1",..., "9"}: not more secure than using random
> passwords of length 1 (even less).
>
> Or using the formula mentioned,
>
>   ln(N)     ln(10)
>   ------ = -------- < 1.
>   ln(b)     ln(60)

I don't think I saw that, what does it say?

I've seen the first one, this

  48 bits, alphabet length n, password length l
  2^48     = n^l            <=>
  48*ln(2) = l*ln(n)        <=>
  l        = 48*ln(2)/ln(n)

which in Elisp is

(defun epwgen-space-size-2 (bits abc-len)
  (/ (* bits (log 2)) (log abc-len) ))

;; (epwgen-space-size-2 48 60) ; 8.13

Are you saying, that it is saying, "with 48 bits passwords
longer than 8.13 chars don't make it more secure"?

-- 
underground experts united
https://dataswamp.org/~incal