CDR: RE: Is kerberos broken? cpunk

David Honig honig at sprynet.com
Wed Sep 13 20:32:53 PDT 2000


At 11:06 AM 9/13/00 -0400, Trei, Peter wrote:
>Here's an example of a good passphrase:
>
>"David grossly underestimates the ability of homo sapiens to memorize
>and exactly reproduce long texts. An examination of American 
>high school students ability to perform the Gettysburg Address is a
>good counterexample."
>
>222 bytes, more or less. Even if we assume only 1bit of entropy per
>character (it's ordinary english), that's a pretty tough space to search.
>It's a safe bet that those two sentences have never been placed
>together in all of human history before now, so there's no dictionary
>to check.
>
>The problem is not that passphrases *can't* be made secure -
>the problem is that most people are unwilling to use good ones. 
>
>Peter Trei

Well I'm flattered :-) and impressed.   I would be more impressed if
e.g., you actually used such an entropic phrase, in real life.  Of course,
we don't
expect you reveal the actual length of your 'phrase.

I think you have convinced me, reinforcing something I've learned and
propogated: convenience over security.  You have also reinforced something
that fits with what I know of cog sci, and which gets to the limits of H.
sapiens: you can only remember large things if they're structured
'meaningfully'.  Kasparov can't remember *random* chessboards better than
you, only real ones.

DH, CSEE & Cog Sci '86














More information about the cypherpunks-legacy mailing list