At 11:06 AM 9/13/00 -0400, Trei, Peter wrote:

Here's an example of a good passphrase:

"David grossly underestimates the ability of homo sapiens to memorize and exactly reproduce long texts. An examination of American high school students ability to perform the Gettysburg Address is a good counterexample."

222 bytes, more or less. Even if we assume only 1bit of entropy per character (it's ordinary english), that's a pretty tough space to search. It's a safe bet that those two sentences have never been placed together in all of human history before now, so there's no dictionary to check.

The problem is not that passphrases *can't* be made secure - the problem is that most people are unwilling to use good ones.

Peter Trei

Well I'm flattered :-) and impressed. I would be more impressed if e.g., you actually used such an entropic phrase, in real life. Of course, we don't expect you reveal the actual length of your 'phrase. I think you have convinced me, reinforcing something I've learned and propogated: convenience over security. You have also reinforced something that fits with what I know of cog sci, and which gets to the limits of H. sapiens: you can only remember large things if they're structured 'meaningfully'. Kasparov can't remember *random* chessboards better than you, only real ones. DH, CSEE & Cog Sci '86