CDR: RE: Is kerberos broken? cpunk

[Trei, Peter]

> ----------
> From: 	David Honig[SMTP:honig at sprynet.com]
> Sent: 	Wednesday, September 13, 2000 11:26 PM
> To: 	Trei, Peter; Multiple recipients of list
> Subject: 	RE: Is kerberos broken? cpunk
> 
> At 11:06 AM 9/13/00 -0400, Trei, Peter wrote:
> >Here's an example of a good passphrase:
> >
> >"David grossly underestimates the ability of homo sapiens to memorize
> >and exactly reproduce long texts. An examination of American 
> >high school students ability to perform the Gettysburg Address is a
> >good counterexample."
> >
> >222 bytes, more or less. Even if we assume only 1bit of entropy per
> >character (it's ordinary english), that's a pretty tough space to search.
> >It's a safe bet that those two sentences have never been placed
> >together in all of human history before now, so there's no dictionary
> >to check.
> >
> >The problem is not that passphrases *can't* be made secure -
> >the problem is that most people are unwilling to use good ones. 
> >
> >Peter Trei
> 
> Well I'm flattered :-) and impressed.   I would be more impressed if
> e.g., you actually used such an entropic phrase, in real life.  Of course,
> we don't
> expect you reveal the actual length of your 'phrase.
> 
My passphrases are of substantial length. 

As for enterprise logins, 'we have a solution to that problem' :-)
http://www.rsasecurity.com/products/securid/

> I think you have convinced me, reinforcing something I've learned and
> propogated: convenience over security.  You have also reinforced something
> that fits with what I know of cog sci, and which gets to the limits of H.
> sapiens: you can only remember large things if they're structured
> 'meaningfully'.  Kasparov can't remember *random* chessboards better than
> you, only real ones.
> 
> DH, CSEE & Cog Sci '86
> 
It's interesting - structure reduces the entropy by making things
predictable,
but also makes them capable of memorization, despite non-trivial amounts
of remnant entropy. 

Peter