[Slackbuilds-users] apg-2.2.3 automated password generator

[Erich Ritz]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, November 20, 2019 6:33 AM, Jude DaShiell <jdashiel at panix.com> wrote:

> One improvement that could be done to all of these password generators
> is to make sure every password starts with a letter and ends with a
> letter. That makes passwords more difficult by a little to crack. The
> reason for that is mathematics. Numbers and special symbols have a set
> size of 42 32 special symbols and 10 digits. Letters have a set size of
> 52 all lower-case and upper-case and the underscore. Why the underscore
> is understood as a letter by some people I don't know I would have
> thought that would have been a special symbol.
>

Your response if completely off-topic, but I feel I have to respond:

Please don't roll your own crypto.

https://crypto.stackexchange.com/questions/70445/what-is-the-origin-of-the-phrase-dont-roll-your-own-crypto
https://www.schneier.com/blog/archives/2011/04/schneiers_law.html
http://web.archive.org/web/20030629085904/http://www-106.ibm.com/developerworks/library/s-everything.html

Your assertion is wrong.

Assume a 3-character password and 3 different algorithms:
1) Each character is randomly chosen from your numbers/special/letters set (94 total characters)
2) 1st and last password character must be letters.
3) 1st and last password characters CANNOT be letters (only numbers and special symbols.

Algorithm (1) has 94^3=830,584 possible passwords.  Of those, some will begin and end with letters; some will start with a letter and end with a number/special, some will start with a number/special and end with a letter, and some will both start and end with a number/special.
Algorithm (2) has 52*94*52=254,176 possible passwords.
Algorithm (3) has 42*94*42=165,816 possible passwords.

Your rationale compares algorithms (2) and (3) and concludes algorithm (2) is the best.  But, you have completely discounted algorithm (1), which is by far the best algorithm.

In general, adding any restrictions to the password generation decreases entropy.  KeePass (or KeePassXC, can't remember which one) even warns of this when using their built-in password generator.