Author: Tim Kuijsten <email@example.com>
Date: Sun, 15 Dec 2019 15:12:15 +0100
* link to hashcat results in readme
* state mobile and command-line use cases
* add bugs section to manual about phonetic ambiguity
2 files changed, 28 insertions(+), 17 deletions(-)
diff --git a/README.md b/README.md
@@ -3,18 +3,19 @@
## Strong password generator for humans
-* Both visually and phonetically unambiguous
+* Short to type, ideal for use on mobile devices or the command line
* No shift or alternate keyboard needed when typing
+* Both visually and phonetically unambiguous
* Blanks can be inserted at arbitrary places to enhance visual representation
-* A C89 compiler
+* C89 compiler
-* Any POSIX-compliant system that supports [arc4random_uniform(3)]. I.e. OpenBSD
- or macOS.
+* POSIX-compliant system
+* support for [arc4random_uniform(3)] (i.e. OpenBSD, FreeBSD, macOS)
## Install on OpenBSD
@@ -42,11 +43,14 @@ loltuk zahxok takrep
## Key space requirements
-The 40 bit key space relies on the following requirements: the
-password is stored using [bcrypt(3)] with 2^10 rounds, it should only be
-secure for one year and the adversary has no more than $25,000.00 to
-spend on brute forcing the password (as of 2019). Additional details about this
-calculation can be found in the [manual].
+The default key space of 40 bits relies on the following requirements:
+* the adversary has no more than $25,000.00 to spend on brute forcing the
+ password (as of 2019 according to [8x Nvidia GTX 1080 Ti Hashcat Benchmarks])
+* the password is stored using [bcrypt(3)] with 2^10 rounds
+* the password only has to be secure for one year
+Additional details about this calculation can be found in the [manual].
@@ -71,6 +75,7 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+[8x Nvidia GTX 1080 Ti Hashcat Benchmarks]: https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505
diff --git a/rpass.1 b/rpass.1
@@ -25,10 +25,13 @@
is a strong password generator for human beings.
-The generated passwords are both visually and phonetically unambiguous.
+The generated passwords are shorter than Diceware which suits them better for
+use on mobile devices, the command line or other environments where one has to
+frequently type the password.
The passwords are case-insensitive so that there is no alternation between
-keyboards when typing the password and blanks can be inserted at arbitrary
-places to enhance visual representation.
+keyboards on insert.
+Blanks can be inserted at arbitrary places to enhance visual representation.
+Furthermore, the passwords are both visually and phonetically unambiguous.
.Bl -tag -width Ds
.It Fl V
Print the version of rpass.
@@ -71,9 +74,9 @@ jultar ramlap rinwun bemvuh
In order to calculate the required
-let's consider a scenario with the following requirements.
-The generated password will be used for at most half a year and is
-stored using PBKDF2-HMAC-SHA256 with a million iterations.
+let's consider a scenario with the following requirements: the generated
+password will be used for at most half a year and is stored using
+PBKDF2-HMAC-SHA256 with a million iterations.
Furthermore the adversary has $25,000.00 to spend.
.Dq 8x Nvidia GTX 1080 Ti Hashcat Benchmarks
@@ -81,12 +84,15 @@ as of 2019 the adversary can try 15 million hashes per second on
PBKDF2-HMAC-SHA256 with a thousand iterations.
This would be 15 thousand hashes per second on PBKDF2-HMAC-SHA256 with a million
-Hence a key space of 15,000 * 3,600 * 24 * 183 * 2 = 38.8 bit would be
+Hence the required key space is 15,000 * 3,600 * 24 * 183 * 2 = 38.8 bits.
.Sh SEE ALSO
.Xr bcrypt 3 ,
.Lk https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505 8x Nvidia GTX 1080 Ti Hashcat Benchmarks
+.Lk http://world.std.com/~reinhold/diceware.html The Diceware Passphrase Home Page
.Lk https://tools.ietf.org/html/rfc8018 PKCS #5: Password-Based Cryptography Specification
.An Tim Kuijsten
+The phonetic ambiguity of the current set of mnemonics depends on the spoken
+language and is currently optimized for the Dutch language.