I am coordinating efforts for the information security policy at my office, and I am currently working on password policies. I have a question I wanted to pose to the forum. I'd like to use some form of randomly generated words, rather than randomly generated characters. This isn't so we can remember our passwords (there's only one or two that we each need to know). Rather, it's so they are easy to browse/communicate. In other words, if I am using a computer that doesn't have 1password installed, I want it to be relatively easy to pull up a password on my mobile device and type it into the computer manually. This is way easier if the password is mostly word-based, rather than a series of numbers and characters.
I've read a number of articles on systems to create strong passwords, and I have a question about the relative strength of different password systems. This article makes it clear that a 9-character password of mixed-case characters chosen at random has the same level of entropy as a 4-word password created with diceware. So these passwords would have the same approx. level of entropy, despite the diceware password being significantly longer (26 char):
I'm guessing this is because the first password has 9 discrete characters which must be guessed from a dictionary of 72 possibilities (uppercase and lowercase alphabet), whereas the second password has 4 discrete words that must be guessed from a dictionary of 7776 or so entries, plus 10 or so different options for separator characters.
But what if I followed a system where I generated a diceware password, and then made random substitutions within the words? E.g.
This password is still relatively easy to type between devices (much easier than a random series of letters), but it introduces randomness into the diceware algorithm, meaning the list of dictionary words is no longer useful for trying to crack the password.
My ultimate question is: I'd like to create passwords with the high level of entropy that 4-word diceware passwords, have, but have them only be 3 words long, since that makes them much easier to manage for my team. I believe that a 3-word diceware password with random characters introduced within words would have a higher level of entropy than a 4-word diceware password. Am I wrong?
higher entropy: ge5der-lat_ncy-loT
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided