Password Difficulties

Kent Borg kentborg at world.std.com
Sat Jul 2 01:41:42 PDT 1994


joshua at cae.retix.com writes:
>>   Hey folks, passwords are hard to choose!
>
>?

What part don't you understand?

Give people the opportunity to chose "random" passwords and they
choose easily guessed strings.  (Well demonstrated.)

Tell people to chose a *phrase* and they are going to frequently type
"The quick brown fox...".  (My assertion.)

Your suggestion about rare steak is so long that "normal" people are
not going to bother with it.  Just getting people to type the
19-characters of "the quick brown fox"--just four words--is going to
be hard, and there are not very many bits of information in 4 short
common English words--forget that they are a chiche.

Besides, your sample phrase might not have as many bits in it as you
think.

>Rare steak tastes good when it is cooked over a wood fire. better
>chicken. better than fish. good with worcestershire sauce.

22 words, a good start.  But all will appear in a short dictionary
list, 4 gramatical sentences, sentences with related meaning.  Not so
good.  Slightly non-standard capitalization--but only a few bits in
that.  You suggest a phrase that is going to seem annoying to people
raised on 4-digit PINs, yet it still might not have, say, the 128-bits
lots of people want.

My 128 coin tosses can be roughly turned into 8-words, but out of a
much larger word list than your phrase and with no gramatical
connections--and hard to remember.  Each transformation I might do to
those words to help remember them chops off a few of my original bits.
By the time I have something my mother is going to bother with there
are few bits left.  A little brute force and those bits are blown.

And why should you care if my mom uses weak keys?  Because it will
undermine the legal weight of things like digital signatures.  Because
all communication you have with "normal" people will be nearly in the
clear because of their poor security.  If you want privacy, you need
to help others have privacy.

Back to a rephrasing of my original question: should programs like PGP
super-duper encrypt the private key (and remove those hints poeple
have mentioned recently) as a way of slowing down brute-force attacks?


-kb

P.S. Remember, even a good hashing algorithm should not be expected to
create entropy out of thin air.  Too few bits in means too few bits
out.  Just because I don't know how to analyze those bits does not
mean you should be content.


--
Kent Borg                                                  +1 (617) 776-6899
kentborg at world.std.com                                
kentborg at aol.com                                      
          Proud to claim 31:15 hours of TV viewing so far in 1994!






More information about the cypherpunks-legacy mailing list