[Cryptography] Recommendations in lieu of short AES passphrases

[Kent Borg]

On 09/19/2016 03:37 AM, Michael Kjörling wrote:
> On 18 Sep 2016 17:43 -0400, from kentborg at borg.org (Kent Borg):
>> Starting with "don't recycle passwords", "write them down", and some
>> diceware-style advice for how to choose decent passwords.
> Curious. You disagree with what I suggest, then suggest some of the
> same things yourself.
>

That's because I largely agree with you.

The reason I then repeated some of your points was to answer the 
objection "It's too complicated, getting too long." There is plenty to 
say, but that 19-word sentence you quote is pretty dang short, yet 
describes a *big* improvement on the typical case.

I do admit a fudge in my count of 19-words: "some diceware-style advice" 
is honestly more than just 4-words of content. But it doesn't take too 
much explanation to get across the idea of don't just "dream up" 
passwords but take some unpredictable input from the real world and 
incorporate it into your passwords.

There are certainly dangling issues those 19-words don't address, but 
because they put problem into the physical domain, regular people will 
be able to reason about them and add some sane elaborations on their 
own. Tell people to keep their list of passwords safe? Sure, but that's 
also the kind of thing they can be reasonably expected to figure out 
themselves.

No, the 19-words don't address encryption keys being different 
passwords, but I don't recommend normal people encrypt their passwords 
with a password manager anyway, and regular people don't do much other 
encryption. Probably they should, but the point is there is some low 
hanging fruit here that doesn't have to be that complicated. Simple is 
good. My choice of 19-words isn't exclusive nor possessing special 
magic, they are just an example. But they are simple, and if followed, 
would work pretty well.

-kb, the Kent who insists complexity is the chronic enemy of security.