1994-07-02 - Password Difficulties

Header Data

From: kentborg@world.std.com (Kent Borg)
To: cypherpunks@toad.com
Message Hash: 8a7413ca9c27b2d9fef7920823019b77c14a92f245d0cc9f78dc6a5bd7e5f983
Message ID: <199407020153.AA07332@world.std.com>
Reply To: N/A
UTC Datetime: 1994-07-02 01:53:29 UTC
Raw Date: Fri, 1 Jul 94 18:53:29 PDT

Raw message

From: kentborg@world.std.com (Kent Borg)
Date: Fri, 1 Jul 94 18:53:29 PDT
To: cypherpunks@toad.com
Subject: Password Difficulties
Message-ID: <199407020153.AA07332@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain


Hey folks, passwords are hard to choose!
 
It boils down to this: I can't remember as many bits as the TLAs can
crack by brute force.
 
Starting with a bunch of coin tosses I tried ways of coding them: hex,
ASCII, and words off word lists.
 
Horrors!  The hex is too long, the ASCII is too long and too obscure,
words words chosen by those bits too many and too obscure.
 
Sorry, there is no way regular people are going to remember pass words
or phrases with more than about 50-bits worth of information in
them--and even doing that well is going to be rare.
 
We need to slowdown password testing?
 
Obvious things come to mind.  1) Try to pair up short passwords with
slow hardware, like a smartcard that can only consider a few passwords
a second.  2) Try to hide behind an expensive operation.  (Does
encrypting my private key 1,000,000-times equal encrypting it once
with a key 20-bits longer?)
 
What do we do?  (What are you folks doing right now?)


-kb, the Kent who occasionally considers practicalities


--
Kent Borg                                                  +1 (617) 776-6899
kentborg@world.std.com                                
kentborg@aol.com                                      
          Proud to claim 31:15 hours of TV viewing so far in 1994!





Thread