Just using the shell, either with built-in tools, or 3rd party generators, for building passwords with at least 70-bits of entropy (1 in at least 1,180,591,620,717,411,303,424 possibilities).
Each provide their own advantages and disadvantages.
All possible 94 graphical characters (not the or) are
Here are my findings of entropy extraction estimates from mouse movement events in the browser. Tables below show the results sorted by the minimum entropy extraction. Timing events, keyboard events, and other potential sources of entropy that can be collected from the user are not considered here.
A [visual representation][1] of slow, medium, and fast mouse movements can help visualize why the entropy estimation increases as the mouse velocity increases. The recorded data was plotted with Gnuplot as follows:
| #!/usr/bin/python3 | |
| import random | |
| # Simple script to simulate biased throws of a single d6 die. | |
| # bias should sum to 1 | |
| # pips ( 1, 2, 3, 4, 5, 6 ) | |
| BIAS = (0.125, 0.125, 0.25, 0.25, 0.125, 0.125) |
| "#", | |
| "$", | |
| "0", | |
| "1", | |
| "2", | |
| "3", | |
| "4", | |
| "5", | |
| "6", | |
| "7", |
| <!doctype html> | |
| <html> | |
| <head> | |
| <meta charset="utf-8"> | |
| <title>Emoji Font Test</title> | |
| <style> | |
| @font-face { | |
| font-family: "emoji"; | |
| src: url("./fonts/TwitterColorEmoji-SVGinOT.ttf") format("truetype"); | |
| } |
| // Citation: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random | |
| /* | |
| * Getting a random number from [0, max) | |
| */ | |
| // DO THIS (unbiased) | |
| function getRandomInt(max) { | |
| var low = (-max >>> 0) % max; | |
| do { var n = Math.random() * 0x100000000 >>> 0; } while(n < low); |
| -----BEGIN PGP SIGNED MESSAGE----- | |
| Hash: SHA512 | |
| # This word list has included material from the JMdict (EDICT, etc.) | |
| # dictionary files in accordance with the licence provisions of the | |
| # Electronic Dictionaries Research Group, and is covered under their | |
| # Creative Commons Attribution-ShareAlike Licence. | |
| # | |
| # http://www.edrdg.org/edrdg/licence.html | |
| # |
This table shows passwords which come from Mark Burnett's 10 million password dump, picking only the top 500. Each password is checked against our strength testers.
See the public Gist of atoponce/password_strength.md about a description of each generator and the strength tester.
| Password | Source | Pwqcheck | Cracklib-check | Pwscore | Zxcvbn |
This table shows passwords generated from a number of different generetors of different strengths,and their results using different strength testing checkers.
See the public Gist of atoponce/password_strength.md about a description of each generator and the strength tester.
| Password | Source | Pwqcheck | Cracklib-check | Pwscore | Zxcvbn |
This is a collection of password generators and strength meter testing. Each generator produces a different array of passwords, of which are then tested against each of the strength meters. The defaults are used where possible, otherwise sane options are provided.
The following results are tables showing the generators, passwords, and strength testers described below.
