joshua@cae.retix.com writes:
Hey folks, passwords are hard to choose!
?
What part don't you understand? Give people the opportunity to chose "random" passwords and they choose easily guessed strings. (Well demonstrated.) Tell people to chose a *phrase* and they are going to frequently type "The quick brown fox...". (My assertion.) Your suggestion about rare steak is so long that "normal" people are not going to bother with it. Just getting people to type the 19-characters of "the quick brown fox"--just four words--is going to be hard, and there are not very many bits of information in 4 short common English words--forget that they are a chiche. Besides, your sample phrase might not have as many bits in it as you think.
Rare steak tastes good when it is cooked over a wood fire. better chicken. better than fish. good with worcestershire sauce.
22 words, a good start. But all will appear in a short dictionary list, 4 gramatical sentences, sentences with related meaning. Not so good. Slightly non-standard capitalization--but only a few bits in that. You suggest a phrase that is going to seem annoying to people raised on 4-digit PINs, yet it still might not have, say, the 128-bits lots of people want. My 128 coin tosses can be roughly turned into 8-words, but out of a much larger word list than your phrase and with no gramatical connections--and hard to remember. Each transformation I might do to those words to help remember them chops off a few of my original bits. By the time I have something my mother is going to bother with there are few bits left. A little brute force and those bits are blown. And why should you care if my mom uses weak keys? Because it will undermine the legal weight of things like digital signatures. Because all communication you have with "normal" people will be nearly in the clear because of their poor security. If you want privacy, you need to help others have privacy. Back to a rephrasing of my original question: should programs like PGP super-duper encrypt the private key (and remove those hints poeple have mentioned recently) as a way of slowing down brute-force attacks? -kb P.S. Remember, even a good hashing algorithm should not be expected to create entropy out of thin air. Too few bits in means too few bits out. Just because I don't know how to analyze those bits does not mean you should be content. -- Kent Borg +1 (617) 776-6899 kentborg@world.std.com kentborg@aol.com Proud to claim 31:15 hours of TV viewing so far in 1994!