[Cryptography] generated passphrases

Kent Borg kentborg at borg.org
Wed Aug 14 20:36:27 EDT 2019 

On 8/14/19 2:00 PM, Arnold Reinhold via cryptography wrote:
> One could get denser entropy than that with grammatically correct 
> sentences. 

Something I have played with manually is nonsense words, pronounceable 
syllables, strung together. (Notably, something like a feature I think 
the old pwgen had.) It might be a way to cram more entropy into human 
attention.

Pick a random consonant, pick a random vowel, pick another random 
consonant...  Follow out rules to make it pronounceable. It doesn't need 
to be a very long string so build up significant entropy.

But not enough for a good passphrase.

Next approach: take the above pronounceable nonsense "word" and mix in 
some other stuff. Random capitaliZAtion someplaCe, extra symbols here, a 
pair of digits there, etc. If the starting "word" is in some sense 
sensible then the abuse layered on top can be recognized as a separate 
layer to be remembered.

The cognitive load ends up being two-part: the fake word, and the 
mangling of the "word" layered on top.

It still isn't easy to do big entropy, the it can maybe get pretty good, 
and the total length gets long enough that if the internal structure 
isn't known to the attacker (Have you noticed my being a bit vague...?) 
the brute force search space is still horrible.


> But the reality is that almost no one is willing and able to memorize a 128-bit passphrase, indeed few will memorize an 80-bit passphrase. Any crypto currency or other security scheme that depends on people memorizing and entering very long passphrases is not going to gain wide consumer acceptance.

Maybe if well done you could get someone to memorize one well crafted 
passphrase...  Maybe only 100-low-something-bits. (Significantly easier 
than 128-bits! Those extra two-dozen-ish bits are hard.) But don't 
expect people to remember many such. (Another scary topic.)

> That leads to the necessity of using effective key stretching.

I think key stretching is a great idea...that I don't want to depend on. 
The idea of devising incremental, necessarily serial work, that will 
necessarily take lots of time even of a well-financed foe, yet still 
cheap enough to do on a little battery while I wait? A nice idea, but I 
remain skeptical. (And ignorant, I admit.)

Give me defensible entropy: counting bits going into how the passphrase 
was generated, not after-the-fact estimates by an ignorant observer.

But that's hard. Hence my point at the top.

> Key stretching addresses a critical mismatch in security technology, how much entropy a typical user can be expected to remember and enter accurately, vs how much entropy is needed for system security. So here is a big question: why doesn’t key stretching get more respect?

Because provably-large yet not-too-much work is a hard hair to split.

And because passwords!, everyone knows passwords are the worst. 
Annoying, not sexy, about to be replaced any moment now--for decades now 
about to be replaced any moment now. And don't you know you just have 
the just chant "2FA"--SecureID, SMS, doesn't matter the details--to 
solve everything?

-kb

More information about the cryptography mailing list