From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <1449883d7baedf2bc03d0857a73b6a98@coraid.com> References: <1449883d7baedf2bc03d0857a73b6a98@coraid.com> Date: Tue, 29 Jun 2010 15:13:03 -0400 Message-ID: From: "Devon H. O'Dell" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] offered without comment or judgement Topicbox-Message-UUID: 39cf863c-ead6-11e9-9d60-3106f5b1d025 2010/6/29 erik quanstrom : >> > I don't understand why modern security systems have an upper limit on = passphrase length. >> >> Because people can't remember passwords, and companies don't like >> employing full-time password changers. > > i don't understand this comment. =A0the length of a password > is only vaguely related to memorability. =A0long english phrases > are easy to remember. =A0unfortunately, they are also easy to > harvest automaticly, so "four score and seven years ago" might > be a bad password. The problem is two-fold: a) Lay-people are told by all their "computer guru" friends to choose a password that is difficult to guess. Add numbers, capital letters, punctuation. Most people don't think in this sort of context, and it is difficult to remember. b) People don't regard the idea as particularly important. I know many people who routinely forget 6-8 character passwords. The length of the phrase is actually in fact tied explicitly to memory. The longer a string of characters, the more difficult it is to remember. That's just fact. You have to practice to recite a monologue; most people can't just read it once and commit it to memory. In a similar fashion, most people must either write down a password (which is dumb) or recite it for a fairly lengthy period of time to remember it. Noting that places having an upper bound on password length usually also have other password policies (like "must contain at least one of each: capital letter, lowercase letter, and number"). This either means things like initials and important dates (birthdays, anniversaries, etc) or random gibberish. People are told not to use something that can be socially engineered, so random gibberish it is. And people at large just don't get it. It's easily forgettable. When talking about symmetric cryptography, "four score and seven years ago" would probably be a great key. There is no convenient rainbow table upon which to do a hash lookup. It's sufficiently expensive to brute-force. The only thing that would give you any sort of advantage is knowing it was an english phrase and trying all of them. Misspellings, punctuation, capitalization, and the like can all throw this off. So picking something directly out of song lyrics, quotes, or a book of idioms is likely to be useless. Adding in a single period, comma, or some creative capitalization is fantastic. But we all know about passwords here. --dho > - erik > >