---------- From: David Honig[SMTP:honig@sprynet.com]

At 12:00 PM 8/31/00 -0400, Joseph Ashwood wrote:

...

No but I feel free to type a hundred or so, but that's beside the point. The claim made was that anything a human can remember, a computer can brute force, this was simply one very clear example that it simply was not true, as I rather thoroughly established.

Anything large that a human can remember has enough structure so that you don't need brute force, you use a dictionary-based attack.

This is nonsense. The wordspace of languages is large enough that it's easy to compose perfectly reasonable texts which are highly resistant to dictionary attacks. For one of my leisure time activities, I have to memorize set texts up to 15 minutes long. I'm expected to give these letter perfect, and I do. Here's an example of a good passphrase: "David grossly underestimates the ability of homo sapiens to memorize and exactly reproduce long texts. An examination of American high school students ability to perform the Gettysburg Address is a good counterexample." 222 bytes, more or less. Even if we assume only 1bit of entropy per character (it's ordinary english), that's a pretty tough space to search. It's a safe bet that those two sentences have never been placed together in all of human history before now, so there's no dictionary to check. The problem is not that passphrases *can't* be made secure - the problem is that most people are unwilling to use good ones. Peter Trei