[Cryptography] Passwords (Smallest feasible work factor today?)

Phillip Hallam-Baker phill at hallambaker.com
Thu Sep 8 21:17:54 EDT 2022


On Thu, Sep 8, 2022 at 1:36 AM Jon Callas <jon at callas.org> wrote:

>
>
> > On Sep 7, 2022, at 08:20, Phillip Hallam-Baker <phill at hallambaker.com>
> wrote:
> >
> > Folk, what are people's thoughts on the smallest work factor that can be
> considered acceptable today? I am thinking 2^80.
> >
>
> I removed the following text, but I basically agree with you on all the
> following. It's your problem statement I want to discuss.
>
> The main thing I want to discuss is that you haven't given a threat model.
> You've implied a threat model, but haven't stated one. And without a threat
> model we can't have an answer. I'm going to be mildly contrarian, with my
> tongue in my cheek as well.
>
> If you're talking about a password for a web site, you may not need 80
> bits.
>

+1

As often happens we are in perfect agreement here, I already have that
point in the piece: Not my asset, not my problem. The arrogance of thinking
I am going to waste my expensive mental energy to protect someone else's
asset when I am not being paid...

I have over 500 stored passwords. What sort of cretin would imagine that I
would possibly remember 500 different ones? Someone would have to be a
special type of stupid with extra stupid sauce to believe anyone could do
that.


> On the other hand, most of my passwords on web sites these days are ones
> that are generated by a password manager. A bunch of those (the older ones)
> are ~71 bits of entropy (a guess because it's 12 characters of
> upper-lower-numeral with some dashes in there) or the new ones that have
> ~107 bits of entropy because it's 18 characters. So yeah, sure -- my
> present policy of having my password manager generate a random password is
> in line with what you're saying. However, note that what this really means
> is "get/use a password manager and let it do it for you."
>

That is the first step in my password replacement strategy.

If we had an open password manager infrastructure (open standard, everyone
picks their own service, works with every browser etc) that syncs passwords
across all the user's devices it would be MUCH easier for persuade people
to use them.

Now imagine that password manager is also a credential manager that can
either sync private keys for use in SSH/ FIDO2/ TLS Client Auth etc. or
provision separate keys to each device and credential them.

So now the password manager is also the transition strategy to ubiquitous
deployment of strong public key authentication.

Still, though, I don't know your threat model. I'm still guessing. I don't
> know what problem you're trying to solve, unless it's the obvious abstract
> problem.
>

Just looking to knock down some of the user blaming and the 'solutions' I
see as transferring blame. The silliness of the special characters is well
known. But passphrases are no better. 'battery horse staple correct' has a
work factor of 2^60 at best.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220908/36863950/attachment.htm>


More information about the cryptography mailing list