[Cryptography] Passwords are dying - get over it

Arnold Reinhold agr at me.com
Wed Dec 25 15:40:54 EST 2013 

On 24 Dec 2013 15:27 Bill Frantz wrote:
> On 12/24/13 at 1:36 PM, agr at me.com (Arnold Reinhold) wrote:
> 
>> You get 120-bits with 7 Diceware words and 30 bits of 
>> stretching, close enough to full 128-bit strength, and three 
>> words fewer than are needed without any key stretching, e.g.:
>> 
>> hamlin jig cub naiad frey allyn pig
>> 
>> Those three fewer words can make the difference between a 
>> passphrase that an ordinary person can remember and an burden 
>> most will shun. The vital role key stretching plays can be 
>> thought of as impedance matching crypto security systems to 
>> human memory capabilities.
> 
> This is a password that I will have to be entering every day or 
> write down. (I'm an old man and my memory isn't as good as it 
> used to be.) There are three words, hamlin, naiad, and allyn 
> that I, as a native English speaker can't define. (The spell 
> checker fails hamlin and allyn.) I'd have to learn to spell at 
> least two of them.
> 
> The need for entropy in passwords has already passed my 
> diminished abilities. If you're looking for universal adoption, 
> there's a problem.

Hamlin and Allyn are proper names. Many short name are included in the Diceware(tm) list to keep the average word length low. Other word lists are possible of course. And looking up an unfamiliar word can be an aid to memorization. The "never write down your password" stricture has been widely debunked. Most people need dozens of passwords. It is unreasonable to expect users to memorize more than a few high strength passwords, perhaps just their hard drive and password manager master passwords. Strong KDFs would help for both uses.

24 Dec 2013 Jonathan Thornburg asked:
> 
> What are the advantages & disadvantages of this (diceware) vs the old
> "think of a long sentence or phrase, and take the 1st letter of each word"
> scheme.  E.g. "FDR was elected to 3 full terms as US president & also
> served part of a 4th term, but he was never vice-president" gives
>  Fwet3ftaUp&aspoa4t,bhwnv-p
> That's 26 characters, with surely at least 4 bits of entropy/character,
> so we're comfortably over 100 bits of entropy.

There is no theoretical basis for the "at least 4 bits of entropy per character" you claim. People following the advice you cite are likely to use phrases in published works, such as books or songs, with predictable variations. The most common examples, such as popular quotes and lyrics, are likely already in password cracking tables. Also the initial characters in English words are even less uniformly distributed than English text in general. 

The entropy in Diceware word selection is a demonstrable 12.9 bits per word assuming a strong source of randomness, such as dice, is used. Diceware users are not asked to think up something unpredictable. It is well established that people are lousy at that.

I just posted to my blog (diceware.blogspot.com) a different approach, which is to generate a string of 10 random letters and then make up a mnemonic sentence that has those letters as its initial letters, using a simple table.  The sentences can be a bit wonky, and 10 random letters have only 47 bits of entropy, but with a good key stretcher that could be enough for may uses. Here is an example:
mngjkwyufk
	"Mary's nice goats joyously keep wimpy youths urging fast karma"

For more entropy, one can insert random numbers before the noun clauses, e.g.
	
	m81ngjk74wyufk

	"Mary's 81 nice goats joyously keep 74 wimpy youths urging fast karma" 

Four random digits adds 13 bits of entropy, bringing us up to 60 bits. If still more is needed, one can use two sentences, or come up with a scheme for something longer, like a random poem or haiku.

Again, the random string is the password, the sentence is just an aid for memorization. Password formats are a matter of taste. It's good to have more than one strong option.

Arnold Reinhold



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131225/69289540/attachment.html>

More information about the cryptography mailing list