Password Difficulties

[Kent Borg]

Hey folks, passwords are hard to choose!
 
It boils down to this: I can't remember as many bits as the TLAs can
crack by brute force.
 
Starting with a bunch of coin tosses I tried ways of coding them: hex,
ASCII, and words off word lists.
 
Horrors!  The hex is too long, the ASCII is too long and too obscure,
words words chosen by those bits too many and too obscure.
 
Sorry, there is no way regular people are going to remember pass words
or phrases with more than about 50-bits worth of information in
them--and even doing that well is going to be rare.
 
We need to slowdown password testing?
 
Obvious things come to mind.  1) Try to pair up short passwords with
slow hardware, like a smartcard that can only consider a few passwords
a second.  2) Try to hide behind an expensive operation.  (Does
encrypting my private key 1,000,000-times equal encrypting it once
with a key 20-bits longer?)
 
What do we do?  (What are you folks doing right now?)


-kb, the Kent who occasionally considers practicalities


--
Kent Borg                                                  +1 (617) 776-6899
kentborg at world.std.com                                
kentborg at aol.com                                      
          Proud to claim 31:15 hours of TV viewing so far in 1994!