Re: [9fans] offered without comment or judgement

["Devon H. O'Dell" <devon.odell@gmail.com>]

2010/6/29 erik quanstrom <quanstro@quanstro.net>:
>> The length of the phrase is actually in fact tied explicitly to
>> memory. The longer a string of characters, the more difficult it is to
>> remember. That's just fact
>
> repeating this doesn't make it true, but it does make
> the phrase easier to remember.  so i think your argument
> is its own defeat.  the gettysburg address is fairly easy for
> me to remember.  but i don't think i'd have such an easy
> time on a randomly-choosen 285-word phrase.
>
> clearly something this long is not necessary.  i'm sure you
> have made-up phrases with non-words you tell our dog.
> that should be easy to remember, not on the internet, and
> have the added bonus that you get to smile while typing your
> password.

You're taking this slightly out of context. I said that this is
coupled with the fact that peers encourage the use of randomness in a
password, and companies enforce password policies that corroborate
this need. I'm not suggesting there's a set length at which point
people have difficulty remembering something, but there is certainly a
correlation: you certainly aren't going to argue the chances of
remembering "fsd&e" are much greater than remembering
"amsdagk3881((@!3ll1..dags8" are you? Similarly, you wouldn't argue
that at some point you spent time learning the Gettysburg Address --
it's not simply something you read once and recalled. (If so, this is
impressive, and you shouldn't argue this as "normal".) Length of the
phrase is certainly tied to the ability to commit it to memory. Yes,
I'm repeating this using empirical evidence as I'm slightly too lazy
to go look up any of the several articles I've read about how we
memorize things and how "brain storage" actually works. There are ways
to bypass this to some degree: adding music or tune, creating rhyme,
setting to iambic pentameter (or any "rhythmization" for that matter).

As computing systems continue to get stronger, the necessity of longer
passphrases will increase -- or slower secure algorithms will need to
be developed. (Or possibly more fitting algorithms, given the
possibility of quantum computing, which may intrinsically provide
solutions to some implementation issues following PKI).

>> When talking about symmetric cryptography, "four score and seven years
>> ago" would probably be a great key. There is no convenient rainbow
>> table upon which to do a hash lookup. It's sufficiently expensive to
>> brute-force.
>
> i'm not convinced of this.  here's why.  i was reading yesterday
> about a research-project that built a machine that could try 1 billion
> rsa keys/sec.  now consider such a machine in the possession of bad
> guys.  for them it would make sense to harvest nearly every phrase
> you can find on the internet and try it.  the hard part would be
> crawling the net.

I certainly have several nonsensical words / names for my cats. None
of them contain numbers or punctuation or anything associated with a
strong passphrase. The longest of these is probably about 12
characters. And a system that can try a billion RSA keys per second is
going to quickly exhaust the relatively short combination of these,
even brute forcing. And you're right -- as I also alluded above, the
continued computing and mathematical advancements made by society at
large will continue to obsolete any statements about what a "good pass
phrase" is.

Right now, it's length and perceived randomness.

People have enough difficulty remembering short passwords. Or creating
"good" passwords in the first place. Upper bounds along with enforcing
permutations are placed to reduce peoples' likelihood of forgetting
them while still providing some level of security. It's not the best
approach, but until people start treating passwords like an ATM card
with a PIN, it's not going to matter much anyway. (Ignoring that PINs
for most cards are only have 9990 or fewer permutations.)

--dho

> - erik
>
>