Andromxda

https://xn--gckvb8fzb.com/de-googled-pixel-tablet-with-grapheneos-a-review/

The URL is decode as it is a Punycode domain name. https://マリウス.com/de-googled-pixel-tablet-with-grapheneos-a-review/_

gos-users The method works by rolling dice to select words from a list, typically consisting of 7776 possible words. Examples of Diceware passphrases:

You have a word list with 7776 short simple nouns? Please share a link to it in that case. Because all word lists with 4000+ words I ever seen have adjectives and verbs too, and complicated words, and I found that to make the passphrases hard to visualize and remember.

I made my own prefix-free list with 1024 words, only short simple nouns, so exactly 10 bits of entropy per word. Easier to remember, even if I need to add one or two more words for same security level.

gos-users Mathematically, brute-forcing a 4-word passphrase would take considerable time, but with modern processing power, it’s not impractical. In contrast, a 7-word passphrase, due to its vastly larger keyspace, would be extremely hard to brute-force within a reasonable timeframe, even with a powerful attack.

Another option instead of considering timeframe is to calculate how much in electricity cost alone the attacker would have to pay to brute-force your passphrase. This has the advantage that we don't have to make assumptions about how much hardware the attacker has access to, which is hard in a world where compute power can be easily rented, including specialized hardware like ASICs. But whatever amount of hardware they have, whatever amount of time it takes to brute-force your passphrase, it will still cost them the same amount in electricity bill, because they cannot magically get access to more power-efficient hardware or algorithms than anyone else can get access to, so still consume the same amount of electricity per tried word combination. My impression is this method is preferable for high-risk threat models. You just need to select many words enough that the electricity alone would make it too expensive for your attacker to be able to or willing to pay to break into your specific device. Even for state actors it can get too expensive, tax payers might riot if too much money is "misplaced" to break into a single activist's phone.

https://tails.net/security/argon2id/index.en.html#comparison

Without trusting secure element throttling, GrapheneOS algorithm is comparable to PBKDF2 in that table from the link. GrapheneOS is using scrypt, but with so weak parameters they are comparable to PBKDF2. And their word list gives about 13 bits of entropy per word, so similar to the one you mentioned. Most people could easily afford to break a 4 word passphrase ($1 000), if they believe there is anything of value at all on your phone, but I cannot imagine even a state actor being able to pay the price for breaking a 7 word passphrase ($1 000 000 000 000 000). And these prices do not include rent cost or cost for hardware, it is electricity alone, so already have some margin. I remember having seen how they calculated the cost, but they took into account power consumption for ASIC hardware and powering RAM memory modules of large enough size, and some average cost of electricity at the time. I cannot find that page now.

gos-users The method works by rolling dice to select words from a list

Perfect high-quality dices. Lower quality ones might have bias because of production flaws that makes certain words much likelier to get selected. But better use the cryptographically secure random number generator on your computer, it doesn't have any such flaws. And the security for the encryption relies on it anyway, since the actual encryption key is generated. The passphrase is just used to wrap the encryption key.

https://blog.quarkslab.com/android-data-encryption-in-depth.html