From: Mike Johnson second login <exabyte!gedora!mikej2@uunet.uu.net>
Date: Tue, 5 Jul 94 11:15:21 PDT
To: Eli Brandt <gedora!uunet!jarthur.cs.hmc.edu!ebrandt@uunet.uu.net>
Subject: Re: Password Difficulties
In-Reply-To: <9407022117.AA06795@toad.com>
Message-ID: <Pine.3.89.9407051145.D3813-0100000@gedora>
MIME-Version: 1.0
Content-Type: text/plain




On Sat, 2 Jul 1994, Eli Brandt wrote:

> > It boils down to this: I can't remember as many bits as the TLAs can
> > crack by brute force.
> 
> Have you *tried* to memorize these long passphrases?  I pick ones that
> are substantially too complex for me to memorize in one trial.  So I
> write the candidate passphrase on paper until I have a grasp on it,
> then burn the paper, scatter the ashes (yes, literally), and begin to
> use the passphrase.  My experience is that once I've successfully
> remembered a phrase two or three times, I will not forget it.
> ... 

I have actually tried memorizing truly random passwords of 8 characters 
or longer (generated with a paranoid program similar to PGP 2.6's 
excellent technique).  I've found that if I review it enough, that I find 
patterns and mnemonic clues in such passwords that help me to remember 
them.  I don't imagine too many people will go through that effort, so I 
still think that a longer pass phrase that sort of "makes sense" is 
better for a PGP key.  Still, I do use the truly random passwords on 
publicly accessible Unix systems like CSN, since that makes dictionary 
attacks improbable.