1994-07-04 - Re: Pass Phrases

Header Data

From: kentborg@world.std.com (Kent Borg)
To: cypherpunks@toad.com
Message Hash: 10591aa9378b06a583feb99a0ed9b29f919784aadb1da046718a338be9ea49a6
Message ID: <199407040913.AA16672@world.std.com>
Reply To: N/A
UTC Datetime: 1994-07-04 09:11:07 UTC
Raw Date: Mon, 4 Jul 94 02:11:07 PDT

Raw message

From: kentborg@world.std.com (Kent Borg)
Date: Mon, 4 Jul 94 02:11:07 PDT
To: cypherpunks@toad.com
Subject: Re:  Pass Phrases
Message-ID: <199407040913.AA16672@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain


jpb@gate.net writes:
>I just pick a sentence and...If you feel paranoid...

Allow me to take back all I said about my difficulty in finding good
passwords.  I can make up plenty difficult passphrases, and I can even
type them blindly.


What worries me is that *others* will not be as wonderfully smart and
clever as am I.


Most persons in in the modern world already have to remember several
"passwords", most of them being PINs.  Large numbers of persons in the
modern world also use some sort of computer that also requires a
password.  Many of these people are even allowed to choose their own
passwords.

The resulting security is *terrible*.  People pick terrible passwords,
just read one of the papers on dictionary attacks on /etc/passwd.

There are two general approaches to this problem: 1) Lecture on the
importance of picking good passwords.  2) Slow down the testing of the
poor passwords people do pick.  

Wait, there is a third approach: ignore the problem!  Pat ourselves on
the back for choosing (and being able to type) passphrases with maybe
40-bits of entropy in them.  

Sorry folks, the best way to make your 40-bits secure is to force the
TLAs to crack *everyone's* keyrings, try to make them all a bit more
secure.

It seems to me doing what we can to slow down the testing of passwords
is a good idea.  Of course keeping encrypted private keys out of
circulation is a good idea, but that does not mean there is nothing
else to be done.


-kb, the Kent who can get annoying


--
Kent Borg                                                  +1 (617) 776-6899
kentborg@world.std.com                                
kentborg@aol.com                                      
          Proud to claim 31:15 hours of TV viewing so far in 1994!





Thread