Re: Password Difficulties
ben@Tux.Music.ASU.Edu and joshua@cae.retix.com both suggest ways to choose passwords/phrases--things no normal person will do. What do we do about a population which thinks a 4-digit PIN is secure? If people use their current ATM PINs--and a lot of computer users *do* when they are allowed--there will be problems: if we want privacy we had better figure out how to give everyone privacy. Part of my original post was cribbing from a paper I once read on the security of crypt on Unix machines. It talked of multiple applications of crypt to slow down brute-force password cracking. Should things like PGP use this technique in protecting the secret key? Does a million encryptions equal 10-bits added to the key? (Assuming the million encryptions cannot be composed into a single equivalent encryption.) -kb -- Kent Borg +1 (617) 776-6899 kentborg@world.std.com kentborg@aol.com Proud to claim 31:15 hours of TV viewing so far in 1994!
What do we do about a population which thinks a 4-digit PIN is secure? If people use their current ATM PINs--and a lot of computer users *do* when they are allowed--there will be problems: if we want privacy we had better figure out how to give everyone privacy.
There's a difference: as far as I know, ATM PINs can't be cracked offline (somebody correct me if I'm wrong). The big problem here is that you have to assume the attacker can do his thing offline. Require an online trial for every test key and it becomes much easier to detect this sort of thing. Phil
(I think Kent Borg wrote this)
What do we do about a population which thinks a 4-digit PIN is secure? If people use their current ATM PINs--and a lot of computer users *do* when they are allowed--there will be problems: if we want privacy we had better figure out how to give everyone privacy.
Fact is, most people never think about real security. Safe manufacturers have said that improvements in safes (the metal kind) were driven by insurance rates. A direct incentive to spend more money to improve security (cost of better safe < cost of higher insurance rate). Right now there is almost no economic incentive for people to worry about PIN security, about protecting their files, etc. (Banks eat the costs and pass them on...any bank which tried to save a few bucks in losses by requiring 10-digit PINs--which people would *write down* anyway!--would lose customers. Holograms and pictures on bank cards are happening because the costs have dropped enough.) Personally, my main interests is in ensuring the Feds don't tell me I can't have as much security as I want to buy. I don't share the concern quoted above that we have to find ways to give other people security. (And to think people call me an elitist!) --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
[etc.]
What do we do about a population which thinks a 4-digit PIN is secure?
[etc.]
Fact is, most people never think about real security.
Safe manufacturers have said that improvements in safes (the metal kind) were driven by insurance rates. A direct incentive to spend more
[etc.] Speaking of safes and the psychology of passwords.... A very funny (and scientifically interesting) book is: _Surely You're Joking, Mr. Feynman_ One of its chapters (entitled "Safecracker" if my memory serves) discusses the locking file cabinets and safes used by the scientists working on the Manhattan Project (_big_ bomb). Richard P. Feynman took great joy picking, cracking and otherwise bypassing these security measures. He got no end of joy guessing passwords (combinations) based on the personality of the safe owner. The first digits of pi and e were common.... One very high military muckety-muck spent a great deal of money for a walk-in safe with very thick, hardened steel walls. (Since the importance of secrets is obviously proportional to rank!) The high muckety-muck never took the time to change the default combination.... The math is easy; its the cultural side of crypto that tough! Cort. P.S. There is a compact disk recording available of the late Mr. Feynman actually telling this story (along with some of his famous bongo music). It is a treasure if you are interested in that sort of thing. I don't have the address of the publisher, but it can be found somewhere in the second biography of RPF. (Something like, _You Can Think for Yourself_...????)
(Something like, _You Can Think for Yourself_...????)
Actually, it's entitled "What Do I Care What Other People Think". I'm not sure which one I like better, however in the first book, when he talks about hiding the door, and decribes where he put it, well, I followed those directions and found the spot. (Unfortunately the house has since been renovated, so the exact room isn't the same) -derek
participants (5)
-
cort -
Derek Atkins -
kentborg@world.std.com -
Phil Karn -
tcmay@netcom.com