Joseph Block writes:
Maybe I'm just being a little dense about this.
If I am the only person who knows what pair of texts I'm using and what permutation algorithm, and what the random number I'm going to salt the pass phrase with, and where I'm going to put the random digits, how is it insecure? ...
I then throw in 1701 as follows
1701THQ1EBA7FLJ0SOM1THL1EDA7
Without knowing the phrases, method, or number, what makes this insecure? ^^^^^^^^^
It's not that this password is "insecure" on the face of it, it's that the password has much less entropy than its 25 or 30 characters would otherwise suggest. Dividing passwords into "secure" and "insecure" is not very useful...intstead, one talks about entropy, a measure of randomness or unpredictability. The "structure of password space" is rich and crufty, filled with nooks and crannies of easily-guessed (relatively) n-bit passwords in a sea of nearly unguessable passwords. The trick is not let human psychology lead you into picking a relatively easy to guess passphrase. It may seem "really hard to guess" a password that takes the opening lines of "Atlas Shrugged" and twiddles and salts them a bit, but "opening line" attacks may be programmed to run in a few seconds on the Crays that do these sorts of things. Entropy that just isn't there can't be conjured up. (As usual, I'm not saying this is a pressing concern. I still use an 11-character nonsense word as my password. This partly reflects my judgement on where the attacks on my PGP use are likely to be.) --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."