I think this specific chain of replies is talking about that actually… though it is a pretty big tangent from the original post
I think this specific chain of replies is talking about that actually… though it is a pretty big tangent from the original post
if you know there are exactly two additional characters
this is pretty much irrelevant, as the amount of passwords with n+1 random characters is going to be exponentially higher than ones with n random characters. Any decent password cracker is going to try the 30x smaller set before doing the bigger set
and you know they are at the end of the string
that knowledge is worth like 2 bits at most, unless the characters are in the middle of a word which is probably even harder to remember
if you know there are exactly two additional characters and you know they are at the end of the string, the first number is really slightly bigger (like 11 times)
even if you assume the random characters are chosen from a large set, say 256 characters, you’d still get the 4-word one as over 50 times more. Far more likely is that it’s a regular human following one of those “you must have x numbers and y special characters” rules which would reduce it to something like 1234567890!?<^>@$%&±() which is going to be less than 30 characters
and even if they end up roughly equal in quessing difficulty, it is still far easier to remember the 4 random words
you memorize the password required to decrypt whatever container your RSA key is in. Hopefully.
and some people will try to just hold a key down until it reaches the length limit… which is an even worse way to generate a password of that length
this assumes a dictionary is used. Otherwise the entropy would be 117 bits or more. The only problem is some people may fail to use actually uniformly random words drawn from a large enough set of words (okay, and you should also use a password manager for the most part)
the direct chain I can see is
“can you string words to form a valid RSA key”
“I would hope so, [xkcd about password strength]”
“words are the least secure way to generate random bytes”
“Good luck remembering random bytes. That infographic is about memorable passwords.”
“You memorize your RSA keys?”
so between comments 2 and 3 and 4 I’d say it soundly went past the handcrafted RSA key stuff.