CDR: RE: Is kerberos broken? cpunk

Trei, Peter ptrei at rsasecurity.com
Wed Sep 13 08:06:56 PDT 2000



> ----------
> From: 	David Honig[SMTP:honig at sprynet.com]
> 
> At 12:00 PM 8/31/00 -0400, Joseph Ashwood wrote:
> >No but I feel free to type a hundred or so, but that's beside the
> >point. The claim made was that anything a human can remember, a
> >computer can brute force, this was simply one very clear example that
> >it simply was not true, as I rather thoroughly established.
> 
> Anything large that a human can remember has enough structure so that you
> don't need brute force, you use a dictionary-based attack.
> 
This is nonsense. The wordspace of languages is large enough that 
it's easy to compose perfectly reasonable texts which are 
highly resistant to dictionary attacks.

For one of my leisure time activities, I have to memorize set texts
up to 15 minutes long. I'm expected to give these letter perfect, and
I do. 

Here's an example of a good passphrase:

"David grossly underestimates the ability of homo sapiens to memorize
and exactly reproduce long texts. An examination of American 
high school students ability to perform the Gettysburg Address is a
good counterexample."

222 bytes, more or less. Even if we assume only 1bit of entropy per
character (it's ordinary english), that's a pretty tough space to search.
It's a safe bet that those two sentences have never been placed
together in all of human history before now, so there's no dictionary
to check.

The problem is not that passphrases *can't* be made secure -
the problem is that most people are unwilling to use good ones. 

Peter Trei



 






More information about the cypherpunks-legacy mailing list