From: tcmay@netcom.com (Timothy C. May)
To: jpb@gate.net (Joseph Block)
Message Hash: e83d5317d76b43bde69bca23c7161602ad6a72279d65386512d79af2285994c1
Message ID: <199407041713.KAA05267@netcom5.netcom.com>
Reply To: <199407041451.KAA56206@inca.gate.net>
UTC Datetime: 1994-07-04 17:09:50 UTC
Raw Date: Mon, 4 Jul 94 10:09:50 PDT
From: tcmay@netcom.com (Timothy C. May)
Date: Mon, 4 Jul 94 10:09:50 PDT
To: jpb@gate.net (Joseph Block)
Subject: Re: Pass Phrases
In-Reply-To: <199407041451.KAA56206@inca.gate.net>
Message-ID: <199407041713.KAA05267@netcom5.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
Joseph Block writes:
> Maybe I'm just being a little dense about this.
>
> If I am the only person who knows what pair of texts I'm using and what
> permutation algorithm, and what the random number I'm going to salt the
> pass phrase with, and where I'm going to put the random digits, how is it
> insecure?
...
> I then throw in 1701 as follows
>
> 1701THQ1EBA7FLJ0SOM1THL1EDA7
>
> Without knowing the phrases, method, or number, what makes this insecure?
^^^^^^^^^
It's not that this password is "insecure" on the face of it, it's that
the password has much less entropy than its 25 or 30 characters would
otherwise suggest. Dividing passwords into "secure" and "insecure"
is not very useful...intstead, one talks about entropy, a measure of
randomness or unpredictability.
The "structure of password space" is rich and crufty, filled with
nooks and crannies of easily-guessed (relatively) n-bit passwords in a
sea of nearly unguessable passwords. The trick is not let human
psychology lead you into picking a relatively easy to guess
passphrase.
It may seem "really hard to guess" a password that takes the opening
lines of "Atlas Shrugged" and twiddles and salts them a bit, but
"opening line" attacks may be programmed to run in a few seconds on
the Crays that do these sorts of things. Entropy that just isn't there
can't be conjured up.
(As usual, I'm not saying this is a pressing concern. I still use an
11-character nonsense word as my password. This partly reflects my
judgement on where the attacks on my PGP use are likely to be.)
--Tim May
--
..........................................................................
Timothy C. May | Crypto Anarchy: encryption, digital money,
tcmay@netcom.com | anonymous networks, digital pseudonyms, zero
408-688-5409 | knowledge, reputations, information markets,
W.A.S.T.E.: Aptos, CA | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."
Return to July 1994
Return to “tcmay@netcom.com (Timothy C. May)”