[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pass Phrases



[email protected] writes:
>I just pick a sentence and...If you feel paranoid...

Allow me to take back all I said about my difficulty in finding good
passwords.  I can make up plenty difficult passphrases, and I can even
type them blindly.


What worries me is that *others* will not be as wonderfully smart and
clever as am I.


Most persons in in the modern world already have to remember several
"passwords", most of them being PINs.  Large numbers of persons in the
modern world also use some sort of computer that also requires a
password.  Many of these people are even allowed to choose their own
passwords.

The resulting security is *terrible*.  People pick terrible passwords,
just read one of the papers on dictionary attacks on /etc/passwd.

There are two general approaches to this problem: 1) Lecture on the
importance of picking good passwords.  2) Slow down the testing of the
poor passwords people do pick.  

Wait, there is a third approach: ignore the problem!  Pat ourselves on
the back for choosing (and being able to type) passphrases with maybe
40-bits of entropy in them.  

Sorry folks, the best way to make your 40-bits secure is to force the
TLAs to crack *everyone's* keyrings, try to make them all a bit more
secure.

It seems to me doing what we can to slow down the testing of passwords
is a good idea.  Of course keeping encrypted private keys out of
circulation is a good idea, but that does not mean there is nothing
else to be done.


-kb, the Kent who can get annoying


--
Kent Borg                                                  +1 (617) 776-6899
[email protected]                                
[email protected]                                      
          Proud to claim 31:15 hours of TV viewing so far in 1994!