rpass

Strong password generator for humans
git clone git://git.sgregoratto.me/rpass
Log | Files | Refs | README
commit 9345ac12d48c29a69fc270be17f973537027e456
parent 0cd4df85af39a61038fadc528f3ec706150d1e58
Author: Tim Kuijsten <info+git@netsend.nl>
Date:   Sun, 15 Dec 2019 15:12:15 +0100

tweak documentation

* link to hashcat results in readme
* state mobile and command-line use cases
* add bugs section to manual about phonetic ambiguity

Diffstat:

MREADME.md | 23++++++++++++++---------


Mrpass.1 | 22++++++++++++++--------


2 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
@@ -3,18 +3,19 @@
 ## Strong password generator for humans
 
 Features:
-* Both visually and phonetically unambiguous
+* Short to type, ideal for use on mobile devices or the command line
 * No shift or alternate keyboard needed when typing
+* Both visually and phonetically unambiguous
 * Blanks can be inserted at arbitrary places to enhance visual representation
 
 ## Requirements
 
 Build requirements:
-* A C89 compiler
+* C89 compiler
 
 Run-time requirements:
-* Any POSIX-compliant system that supports [arc4random_uniform(3)]. I.e. OpenBSD
-  or macOS.
+* POSIX-compliant system
+* support for [arc4random_uniform(3)] (i.e. OpenBSD, FreeBSD, macOS)
 
 ## Install on OpenBSD
 ```sh
@@ -42,11 +43,14 @@ loltuk zahxok takrep
 ```
 
 ## Key space requirements
-The 40 bit key space relies on the following requirements: the
-password is stored using [bcrypt(3)] with 2^10 rounds, it should only be
-secure for one year and the adversary has no more than $25,000.00 to
-spend on brute forcing the password (as of 2019). Additional details about this
-calculation can be found in the [manual].
+
+The default key space of 40 bits relies on the following requirements:
+* the adversary has no more than $25,000.00 to spend on brute forcing the
+  password (as of 2019 according to [8x Nvidia GTX 1080 Ti Hashcat Benchmarks])
+* the password is stored using [bcrypt(3)] with 2^10 rounds
+* the password only has to be secure for one year
+
+Additional details about this calculation can be found in the [manual].
 
 ## Documentation
 
@@ -71,6 +75,7 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
+[8x Nvidia GTX 1080 Ti Hashcat Benchmarks]: https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505
 [arc4random_uniform(3)]: https://man.openbsd.org/arc4random_uniform.3
 [bcrypt(3)]: https://man.openbsd.org/bcrypt.3
 [rpass(1)]: https://netsend.nl/rpass/rpass.1.html
diff --git a/rpass.1 b/rpass.1
@@ -25,10 +25,13 @@
 .Sh DESCRIPTION
 .Nm
 is a strong password generator for human beings.
-The generated passwords are both visually and phonetically unambiguous.
+The generated passwords are shorter than Diceware which suits them better for
+use on mobile devices, the command line or other environments where one has to
+frequently type the password.
 The passwords are case-insensitive so that there is no alternation between
-keyboards when typing the password and blanks can be inserted at arbitrary
-places to enhance visual representation.
+keyboards on insert.
+Blanks can be inserted at arbitrary places to enhance visual representation.
+Furthermore, the passwords are both visually and phonetically unambiguous.
 .Bl -tag -width Ds
 .It Fl V
 Print the version of rpass.
@@ -71,9 +74,9 @@ jultar ramlap rinwun bemvuh
 .Pp
 In order to calculate the required
 .Ar bitlen
-let's consider a scenario with the following requirements.
-The generated password will be used for at most half a year and is
-stored using PBKDF2-HMAC-SHA256 with a million iterations.
+let's consider a scenario with the following requirements: the generated
+password will be used for at most half a year and is stored using
+PBKDF2-HMAC-SHA256 with a million iterations.
 Furthermore the adversary has $25,000.00 to spend.
 According to
 .Dq 8x Nvidia GTX 1080 Ti Hashcat Benchmarks
@@ -81,12 +84,15 @@ as of 2019 the adversary can try 15 million hashes per second on
 PBKDF2-HMAC-SHA256 with a thousand iterations.
 This would be 15 thousand hashes per second on PBKDF2-HMAC-SHA256 with a million
 iterations.
-Hence a key space of 15,000 * 3,600 * 24 * 183 * 2 = 38.8 bit would be
-sufficient.
+Hence the required key space is 15,000 * 3,600 * 24 * 183 * 2 = 38.8 bits.
 .Sh SEE ALSO
 .Xr bcrypt 3 ,
 .Lk https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505 8x Nvidia GTX 1080 Ti Hashcat Benchmarks
+.Lk http://world.std.com/~reinhold/diceware.html The Diceware Passphrase Home Page
 .Lk https://tools.ietf.org/html/rfc8018 PKCS #5: Password-Based Cryptography Specification
 .Sh AUTHORS
 .An -nosplit
 .An Tim Kuijsten
+.Sh BUGS
+The phonetic ambiguity of the current set of mnemonics depends on the spoken
+language and is currently optimized for the Dutch language.