From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: Date: Tue, 29 Jun 2010 14:41:21 -0400 Message-ID: From: "Devon H. O'Dell" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [9fans] offered without comment or judgement Topicbox-Message-UUID: 3990c15e-ead6-11e9-9d60-3106f5b1d025 2010/6/29 Steve Simon : >> But you can do at least as good as these forms of ID. PKI requires >> knowledge of some sort of passkey. (I just worry about identification >> for people who are not smart enough to pick a good key. Which, >> unfortunately, is also most people. > > My understanding is a passkey just needs sufficent entropy in order to be strong. Sure. But you can still brute-force a 4-character passkey in a reasonably short time. > This can be a few characters drawn from a larger characterset - your password must > be no more than 16 chars and must contain upper and lower case numbers and punctuation. > > Alternatively it could be a long string made up of a restricted character set - your > pass phrase can consist of any text characters but must not contain long repitations > and be of at least 200 characters long (say). This works, but tends to be easy to get out of people or figure out about people if you know a bit about them. > Thus a passphrase may be a quote from your favorite movie, a lyric or the like. This > can then be hashed into a higher entropy string (is this statement true?) used for > authentication. > > I don't understand why modern security systems have an upper limit on passphrase length. Because people can't remember passwords, and companies don't like employing full-time password changers. --dho > (waits for people who know better to tell him he is dumb). > > -Steve > >