1995-11-16 - Re: Repeated Words/characters in Password/Phrase

Header Data

From: foodie@netcom.com
To: cypherpunks@toad.com
Message Hash: c911887af174e5c0eb2290804dc6f6ca2a524d027beadec4536ddc8363003eeb
Message ID: <v02130505acd00385c158@DialupEudora>
Reply To: N/A
UTC Datetime: 1995-11-16 01:16:09 UTC
Raw Date: Thu, 16 Nov 1995 09:16:09 +0800

Raw message

From: foodie@netcom.com
Date: Thu, 16 Nov 1995 09:16:09 +0800
To: cypherpunks@toad.com
Subject: Re: Repeated Words/characters in Password/Phrase
Message-ID: <v02130505acd00385c158@DialupEudora>
MIME-Version: 1.0
Content-Type: text/plain


>In the real world, where passphrases must be memorized, "long and random"
>is an elusive goal, which has to be weighed against the risk of other
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>attacks (such as capturing keystrokes with a sofware monitor, or from afar
 ^^^^^^^
>with a van Eyk antenna, etc.).
>
>Me, I use a nonsense phrase which has meaning to me, with a few garbage
>characters added to confuse things further. I don't think my passphrase is
>the weak link.
>
>- --Tim May

This is, of course, very good advice.

Passphrases need only be as strong as every other component of the security
system. I'd add that there is a moderately good reason to keep the passphrase
_only_ as strong as every other component of the system for psychological
reasons.

The passphrase is what the user tends to think of when they think of their
system. Even if that user is the designer of the system, a false sense of
security an be an easy thing to develop. At a past place-of-work, someone
there who prided themselves on using difficult passphrases was bitten pretty
severely by a faulty .forward file.

DES provides similar lessons - searching 56 bits of keyspace requires just
barely less effort than that required to launch other attacks on the algorithm
(in theory, at least). The system is, as far as anybody knows, secure, and no
part of it is significantly more secure than any other.

-j

--
On the internet, nobody knows you're a diety.
_________________________________________________________________
Jamie Lawrence                                <foodie@netcom.com>







Thread