[Cryptography] Say 'unguessable' not random

Jerry Leichter leichter at lrw.com
Fri Aug 26 22:42:17 EDT 2016


> I wonder if something like a banking site should generate unguessable
> passwords for new users.  It could display the password to the user and
> instruct him to write it down.  Then when he pushes the "Continue"
> button, it would require him to enter the password.  If he didn't write
> it down correctly then he wouldn't be able to do that.
I don't see that as workable for most applications for human-interface reasons, but there is one place it *is* used:  Apple lets you generate "recovery keys" for various things (encrypted disks, iCloud accounts).  The keys are long and random.  When you first generate one, it appears on your screen.  You'd better record it, because it will never be shown to you again.  Typically, you print it and store the result someplace safe.
                                                        -- Jerry



More information about the cryptography mailing list