From: "Devon H. O'Dell" <devon.odell@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] offered without comment or judgement
Date: Tue, 29 Jun 2010 15:13:03 -0400 [thread overview]
Message-ID: <AANLkTim_3pauNZbTQm-uyoWv0m09MaW8wPeKtdSLCVPG@mail.gmail.com> (raw)
In-Reply-To: <1449883d7baedf2bc03d0857a73b6a98@coraid.com>
2010/6/29 erik quanstrom <quanstro@labs.coraid.com>:
>> > I don't understand why modern security systems have an upper limit on passphrase length.
>>
>> Because people can't remember passwords, and companies don't like
>> employing full-time password changers.
>
> i don't understand this comment. the length of a password
> is only vaguely related to memorability. long english phrases
> are easy to remember. unfortunately, they are also easy to
> harvest automaticly, so "four score and seven years ago" might
> be a bad password.
The problem is two-fold:
a) Lay-people are told by all their "computer guru" friends to choose
a password that is difficult to guess. Add numbers, capital letters,
punctuation. Most people don't think in this sort of context, and it
is difficult to remember.
b) People don't regard the idea as particularly important. I know many
people who routinely forget 6-8 character passwords.
The length of the phrase is actually in fact tied explicitly to
memory. The longer a string of characters, the more difficult it is to
remember. That's just fact. You have to practice to recite a
monologue; most people can't just read it once and commit it to
memory. In a similar fashion, most people must either write down a
password (which is dumb) or recite it for a fairly lengthy period of
time to remember it. Noting that places having an upper bound on
password length usually also have other password policies (like "must
contain at least one of each: capital letter, lowercase letter, and
number"). This either means things like initials and important dates
(birthdays, anniversaries, etc) or random gibberish. People are told
not to use something that can be socially engineered, so random
gibberish it is. And people at large just don't get it. It's easily
forgettable.
When talking about symmetric cryptography, "four score and seven years
ago" would probably be a great key. There is no convenient rainbow
table upon which to do a hash lookup. It's sufficiently expensive to
brute-force. The only thing that would give you any sort of advantage
is knowing it was an english phrase and trying all of them.
Misspellings, punctuation, capitalization, and the like can all throw
this off. So picking something directly out of song lyrics, quotes, or
a book of idioms is likely to be useless. Adding in a single period,
comma, or some creative capitalization is fantastic.
But we all know about passwords here.
--dho
> - erik
>
>
next prev parent reply other threads:[~2010-06-29 19:13 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-28 22:32 ron minnich
2010-06-28 23:10 ` Ethan Grammatikidis
2010-06-29 2:28 ` Wes Kussmaul
2010-06-29 2:46 ` Stanley Lieber
2010-06-29 17:13 ` Wes Kussmaul
2010-06-29 17:27 ` Devon H. O'Dell
2010-06-29 18:30 ` Steve Simon
2010-06-29 18:41 ` Devon H. O'Dell
2010-06-29 18:57 ` erik quanstrom
2010-06-29 19:13 ` Devon H. O'Dell [this message]
2010-06-29 19:32 ` erik quanstrom
2010-06-29 20:00 ` Devon H. O'Dell
2010-06-30 11:28 ` erik quanstrom
2010-06-30 15:22 ` Wes Kussmaul
2010-06-30 16:22 ` Devon H. O'Dell
2010-06-29 20:09 ` Wes Kussmaul
2010-06-29 21:34 ` Steve Simon
2010-06-29 19:19 ` Wes Kussmaul
2010-06-29 3:46 ` erik quanstrom
2010-06-29 8:07 ` Akshat Kumar
2010-06-29 9:14 ` hiro
2010-06-29 9:17 ` erik quanstrom
2010-06-29 19:59 ` ron minnich
2010-06-29 13:43 ` Gabriel Díaz
2010-06-29 16:54 ` hiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTim_3pauNZbTQm-uyoWv0m09MaW8wPeKtdSLCVPG@mail.gmail.com \
--to=devon.odell@gmail.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).