Fix documentation recommendations about --no-caps
Closed this issue · 1 comments
By default the single phrase words are capitalized, i.e. the first char of each
word is made uppercase. This does not neccessarily give better security
(1 bit at most), but it helps reading a phrase.
This is not true, most diceware wordlists used is not prefix-free. Using --no-caps reduces entropy by indeterminate amount since the system using the generated password cannot distinguish between:
AirPortable
AirportAble
when using --no-caps, both are lower-cased to:
airportable
Unless you have a prefix-free wordlist (among the built-in wordlist, only the EFF wordlist is prefix-free), the amount of entropy lost when there is neither capitalisation or word separator is greater than 1 bit.
Thank you @lieryan !
You made a valuable observation and your reasoning is convincing.
I guess the correct way to handle this (apart from fixing the docs), would be to make the wordlists prefix-free. At least the non-historical ones. I will ask the respective authors what can be done.
The EFF-wordlist en_eff
, BTW, should be prefix-free already. I more and more tend to make this the default list.