1994-07-02 - Passwords, passphrases, etc.

Header Data

From: Michael Wilson <0005514706@mcimail.com>
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: f01577530e0290505ede7ba3ca4f91b23bba1ee3d8b30b8acbab4fb2718c1bb5
Message ID: <61940702193416/0005514706NA3EM@mcimail.com>
Reply To: N/A
UTC Datetime: 1994-07-02 19:36:10 UTC
Raw Date: Sat, 2 Jul 94 12:36:10 PDT

Raw message

From: Michael Wilson <0005514706@mcimail.com>
Date: Sat, 2 Jul 94 12:36:10 PDT
To: Cypherpunks <cypherpunks@toad.com>
Subject: Passwords, passphrases, etc.
Message-ID: <61940702193416/0005514706NA3EM@mcimail.com>
MIME-Version: 1.0
Content-Type: text/plain


Cypherpunks:

The evolution of the discussion here regarding passwords or passphrases is a 
telling indicator, and one which people here should think about, because you are
reinventing the NSA.

You start with a desire for privacy/secrecy, and so you create a package as a 
functional cryptosystem.  The requirements of the cryptosystem, however, makes 
memorization of the cryptographic key non-trivial (and nobody here suggests 
offline storage, as the NSA primarily uses); this causes you to use an access 
control mechanism that protects the key on a local basis.  This then makes you 
think about armoured operating systems, physical security of the site, biometric
security, signals emission, coersion methods, etc.  It is a capsule history of 
the enemy, and I hope it helps you understand what created them; the major 
difference was that they had an available budget and potent adversaries.  
Imagine the cypherpunks sitting around and attacking their own system and others
(Clipper, for instance), getting paid to write code, build hardware, whatever 
necessary to attack/defend, and with operational support and infrastructure.  
Quite educational, isn't it?

Another brief observation you might want to think about in regards to the 
implications; the data in the public domain for cryptanalysis tends to be based 
primarily in the English language (frequency tables, dictionary attacks, etc.). 
Isn't it striking that so little of similar data has leaked out for what one can
assume were the real targets--Russian, Arabic, German, etc.?  Seems to be quite 
an effort to attack English-based systems.  There also seems to be an unusual 
silence on what one would consider to be important cryptanalysis data--if you 
were NSA, wouldn't you be certain to suppress data that helped your adversary?  
Just food for thought.  Is this a true emphasis or a Potemkin village?

One benefit of being multilingual; all access codes that I need to remember are 
obscure phrases in little known dialects.  I imagine they would look like 
gibberish to the uninitiated.

Michael Wilson
Managing Director, The Nemesis Group

[I hope that the record of purchases made through the Maryland Procurement group
are making their way from systems such as Mead Data and into private systems for
analysis; warning, access of such data is expensive.]





Thread