Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Choose autogenerated passphrase wordlist based on $LANG #278

Open
FiloSottile opened this issue Jun 2, 2021 · 4 comments
Open

Choose autogenerated passphrase wordlist based on $LANG #278

FiloSottile opened this issue Jun 2, 2021 · 4 comments
Labels

Comments

@FiloSottile
Copy link
Owner

BIP-39 already has wordlists for a number of languages, so we can probably stick to those, even if they are not particularly great.

https://github.com/bitcoin/bips/tree/master/bip-0039

@FiloSottile FiloSottile added the CLI label Jun 2, 2021
@str4d
Copy link

str4d commented Jun 2, 2021

Fortunately, unlike the canonical use-case for BIP 39, it doesn't matter if we switch the word lists later for improved ones! So I'm +1 on this, and will follow in rage.

@covert-encryption
Copy link

covert-encryption commented Nov 16, 2021

The BIP 39 wordlist has a lot of prefix words, leading to confusion when passwords are created without separators, e.g. uselessoncereal which can mean either useless-once-real or use-lesson-cereal, all words from the dictionary. Also, some prefixes in that are very underused, for instance there are no words that start with the letter x. The EFF wordlist is full of very long and complex words often with only slightly different suffixes. I would suggest rather using ours for English:

https://github.com/covert-encryption/covert/blob/main/covert/wordlist.py

In this list all words are 3-6 letter long to avoid large variation in password lengths, and to keep them simple. Every 3-letter prefix is unique, allowing autocompletion of words after only 2 or 3 letters have been typed, and at the same time avoiding the aforementioned problem. We try to include words that are not easily misread when no separators are used (e.g. badge had to be replaced by bad which it was naturally seen as anyway).

Similar lists can be generated for other languages with the simple script that we used for this one, if large lists to be used as a starting point are available. It will require some manual exchange of words for maximal quality though. Our list is under development and we expect a few more words being replaced in the coming weeks until it is finalised.

@str4d
Copy link

str4d commented Nov 16, 2021

Generated passphrases in both age and rage use hyphen-separated words, so prefix confusion is not a concern here.

@covert-encryption
Copy link

@str4d I am well aware of that, but tab completion is also a nice thing to have especially with 10-word passphrases. Four easily memorable words, autocomplete, no wordbreaks and strong hashing might still be better for file encryption, leaving 10 word (110 bit) phrases for seeding cryptocurrency wallets and other functions where the output must be globally unique.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants