[Cryptography] Passwords are dying - get over it

Mon Dec 23 12:07:25 EST 2013

On Mon, Dec 23, 2013 at 11:14 AM, Kent Borg <kentborg at borg.org> wrote:

> Using a private key has three problems I see:
>
> 1. Another opportunity for an attacker: the key file.
>
> 2. Now I need to manage all the places I store key files.
>
> 3. The passphrase protecting the private key needs to be much stronger
> than does a password because there is a limit on how fast a password can be
> checked because the server will throttle attempts. Yes, you are talking
> about key strengthening, but I still want a lot of real entropy in my base
> passphrase, just in case the strengthening isn't so good.  Something worth
> 128-bits of entropy is a pain to remember and type.  But a password can be
> pretty short and still good (for example, 4-digit ATM PINs).
>

I agree with all these points.  However, github and other sites I visit
often require a public ssh key.  A lot of git managment tools require
public ssh keys to work, and I one linux server I manage that has many
users who log in with ssh keys as a result.  A decent high entropy pass
phrase is just too hard to type every time I want to log onto these
servers, so my security is weak.  Grr...

> P.S.  Passwords can be pretty easy to type, or have lots of entropy in
> them: but then they get long and hard to type without errors--and hard to
> remember.  For example, this has 128-bits of entropy in it (as it was
> mechanically and created out of 128-bits of /dev/urandom by a reversible
> coding):
>
> e195-16-explore-xray-comet-8bd7-orinoco-reward-canvas-72-
> strong-spain-poker
>

That's one heck of a password.  A randomly generated password can gaurentee
security, but I'm to lazy to type that sort of monster every time!

> Remembering a series of three randomly chosen words is easy, there always
> seems to be a meaning that can be associated with them, but to "curve fit"
> an idea through many such random words is hard.  And typing with only
> bullet characters as feed back is error-prone.
>

If the word table has the most common 2^13 (8K) words, then such a pass
phrase has 39 bits of entropy.  That's not bad if the KDF were scrypt
running in 1G of memory for a second.  A $1B scrypt stretcher running on a
password guesser that knows you have 3 words chosen from the list of 10,000
would likely take an hour and a half to crack this.  In reality, such a
machine probably does not yet exist, so you'd be safe for now.  However, if
it's just AES-256 for 2048 rounds, a cheap 1T-hash/second machine (for only
$10,000 using BitCoin ASICs) enables guessing at a rate of 500M
guesses/second, and would crack this in 19 minutes.  That's not much
security!  That's why I'm promoting a switch to better KDFs, like scrypt.
 I look forward to seeing the result of the upcoming competition.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131223/c824e72b/attachment.html>