[Cryptography] Passwords are dying - get over it
Jonathan Thornburg
jthorn at astro.indiana.edu
Wed Dec 25 14:05:40 EST 2013
I wrote:
> >What are the advantages & disadvantages of this (diceware) vs the old
> >"think of a long sentence or phrase, and take the 1st letter of each
> >word"
> >scheme. E.g. "FDR was elected to 3 full terms as US president & also
> >served part of a 4th term, but he was never vice-president" gives
> > Fwet3ftaUp&aspoa4t,bhwnv-p
On Wed, 25 Dec 2013, Kent Borg replied:
> My problem is the "think of" part, I want a password that has
> been built from random data, not something I dreamed up. If the
> phrase really is memorable, it might be from The Lord of The Rings,
> and so part of a cracker list. (Your example appears not to be.)
You're right. I should have written "a long sentence or phrase
which is *unique*, i.e., something that noone has ever written before"
Anything that's part of some larger body of text (whether dead-trees
or online) is verboten.
> If it is something you made up and no one could anticipate, will
> it be memorable enough? Will you mess up a comma or preposition?
It seems to me to be a modest improvement on the "sequence of
semantically-unrelated-words" scheme.
My (geek) experience is that for passwords which are used *often*
(say multiple times per day) memorization happens automagically.
So... such a scheme can be used for the (strong) master password which
unlocks a password manager; the latter can be used to hold all the other
passwords with which one is plagued.
Of course, this requires a strong password manager, a robust (encrypted)
backup scheme for the password-manager database, and probably various
other fundamentally-doable-but-all-tricky-for-non-geeks tasks which
have slipped my mind right at the moment.
I don't know how well or poorly this will work for non-geeks.
On the optimistic side: even <stereotype exemplar of nontechnical
computer user> probably knows a great many details about *something*
(maybe the history of the 1953 playoffs in <sport>, maybe 8 generations
of family geneology, maybe the social life of every TV starlet of
the past decade, but most humans have passionate interests in
*something*). Using the 1st-letter-of-each-word scheme, that
"something" could be the topic underlying a fairly-memorable strong
password.
On the pessimistic side: I fear that this (together with the use of a
good password manager and robust encrypted backups for same) is asking
for more mental effort than [the quite small amount] the median computer
user is willing to exert.
Along these lines, the classic
Whitten & Tygar
"Why Johnny can't Encrypt: A Usability Evaluation of PGP 5.0"
8th Usenix Security Symposium, 1999
http://www.usenix.org/publications/library/proceedings/sec99/full_papers/whitten/whitten.pdf
is very salutory, and well worth rereading every so often.
--
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
"There was of course no way of knowing whether you were being watched
at any given moment. How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork. It was even conceivable
that they watched everybody all the time." -- George Orwell, "1984"
More information about the cryptography
mailing list