[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Repeated Words/characters in Password/Phrase



>In the real world, where passphrases must be memorized, "long and random"
>is an elusive goal, which has to be weighed against the risk of other
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>attacks (such as capturing keystrokes with a sofware monitor, or from afar
 ^^^^^^^
>with a van Eyk antenna, etc.).
>
>Me, I use a nonsense phrase which has meaning to me, with a few garbage
>characters added to confuse things further. I don't think my passphrase is
>the weak link.
>
>- --Tim May

This is, of course, very good advice.

Passphrases need only be as strong as every other component of the security
system. I'd add that there is a moderately good reason to keep the passphrase
_only_ as strong as every other component of the system for psychological
reasons.

The passphrase is what the user tends to think of when they think of their
system. Even if that user is the designer of the system, a false sense of
security an be an easy thing to develop. At a past place-of-work, someone
there who prided themselves on using difficult passphrases was bitten pretty
severely by a faulty .forward file.

DES provides similar lessons - searching 56 bits of keyspace requires just
barely less effort than that required to launch other attacks on the algorithm
(in theory, at least). The system is, as far as anybody knows, secure, and no
part of it is significantly more secure than any other.

-j

--
On the internet, nobody knows you're a diety.
_________________________________________________________________
Jamie Lawrence                                <[email protected]>