[Cryptography] Passwords are dying - get over it

[Arnold Reinhold]

On 23 Dec 2013 11:14 Kent Borg wrote:
> Passwords can be pretty easy to type, or have lots of entropy in 
> them: but then they get long and hard to type without errors--and hard 
> to remember.  For example, this has 128-bits of entropy in it (as it was 
> mechanically and created out of 128-bits of /dev/urandom by a reversible 
> coding):
> 
> e195-16-explore-xray-comet-8bd7-orinoco-reward-canvas-72-strong-spain-poker

A 10 word Diceware™ password has 129 bits of entropy.  Not trivial to memorize, but easier than your 13 words, and the individual words are shorter on average as well, e.g.:

   field mint flue elk hock paris 1990 ax quake sutton

On 23 Dec 2013 19:10 Lars Luthman wrote:
> But how much key stretching do you want? Even with a billion rounds you
> don't add more than ~30 bits of work, which is less than what you get by
> adding three more words to a Diceware-like passphrase using a dictionary
> with 2000 words.

Key stretching is not just about rounds. It can also engage more of the transistors on a typical client or server computer, forcing an hardware attacker to use more silicon area for each attack pipeline.  A factor of a million in transistor count over a simple SHA hash is not unreasonable, and coupled with a million iterations, one could get to a 40-bit increase in attack cost. But even 30 bits of key stretching gain gives a 4 word Diceware passphrase 81-bit strength and  5 words 94 bits. You get 120-bits with 7 Diceware words and 30 bits of stretching, close enough to full 128-bit strength, and three words fewer than are needed without any key stretching, e.g.:

   hamlin jig cub naiad frey allyn pig

Those three fewer words can make the difference between a passphrase that an ordinary person can remember and an burden most will shun. The vital role key stretching plays can be thought of as impedance matching crypto security systems to human memory capabilities.

Arnold Reinhold