From: kentborg@world.std.com (Kent Borg)
Date: Sun, 3 Jul 94 00:09:59 PDT
To: cypherpunks@toad.com
Subject: Re: Password Difficulties
Message-ID: <199407030709.AA16211@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain


lcottrell@popmail.ucsd.edu writes:
>I make a point of using at least one non-dictionary word in every
>passphase I make.

Something pronouncable?  Something that follows rules of some natural
language, something short that could have been a word?

Good, but not the whole cigar.  Last I used VMS you could get it to
suggest non-word word-a-likes to use as your password.  Seems terrible
brute forcable in 1994.  

Adding a non-word to a pass phrase is like increasing the size of the
dictionary, and if you only do one non-word then only *that* word
picks up more bits of entropy in the phrase.  Yes, there are bits in
where you put the word, but the whole phrase did not become made of
deep bits.

But my point is really that even these often-less-good-than-they-look
measures are far better than what *real* people are going to do.


-kb, the Kent who wonders whether real people will ever have decent security


--
Kent Borg                                                  +1 (617) 776-6899
kentborg@world.std.com                                
kentborg@aol.com                                      
          Proud to claim 31:15 hours of TV viewing so far in 1994!