[Cryptography] Recommendations in lieu of short AES passphrases
kentborg at borg.org
Mon Sep 19 08:39:02 EDT 2016
On 09/19/2016 03:37 AM, Michael Kjörling wrote:
> On 18 Sep 2016 17:43 -0400, from kentborg at borg.org (Kent Borg):
>> Starting with "don't recycle passwords", "write them down", and some
>> diceware-style advice for how to choose decent passwords.
> Curious. You disagree with what I suggest, then suggest some of the
> same things yourself.
That's because I largely agree with you.
The reason I then repeated some of your points was to answer the
objection "It's too complicated, getting too long." There is plenty to
say, but that 19-word sentence you quote is pretty dang short, yet
describes a *big* improvement on the typical case.
I do admit a fudge in my count of 19-words: "some diceware-style advice"
is honestly more than just 4-words of content. But it doesn't take too
much explanation to get across the idea of don't just "dream up"
passwords but take some unpredictable input from the real world and
incorporate it into your passwords.
There are certainly dangling issues those 19-words don't address, but
because they put problem into the physical domain, regular people will
be able to reason about them and add some sane elaborations on their
own. Tell people to keep their list of passwords safe? Sure, but that's
also the kind of thing they can be reasonably expected to figure out
No, the 19-words don't address encryption keys being different
passwords, but I don't recommend normal people encrypt their passwords
with a password manager anyway, and regular people don't do much other
encryption. Probably they should, but the point is there is some low
hanging fruit here that doesn't have to be that complicated. Simple is
good. My choice of 19-words isn't exclusive nor possessing special
magic, they are just an example. But they are simple, and if followed,
would work pretty well.
-kb, the Kent who insists complexity is the chronic enemy of security.
More information about the cryptography