2010/6/29 erik quanstrom <quans...@quanstro.net>: >> The length of the phrase is actually in fact tied explicitly to >> memory. The longer a string of characters, the more difficult it is to >> remember. That's just fact > > repeating this doesn't make it true, but it does make > the phrase easier to remember. so i think your argument > is its own defeat. the gettysburg address is fairly easy for > me to remember. but i don't think i'd have such an easy > time on a randomly-choosen 285-word phrase. > > clearly something this long is not necessary. i'm sure you > have made-up phrases with non-words you tell our dog. > that should be easy to remember, not on the internet, and > have the added bonus that you get to smile while typing your > password.
You're taking this slightly out of context. I said that this is coupled with the fact that peers encourage the use of randomness in a password, and companies enforce password policies that corroborate this need. I'm not suggesting there's a set length at which point people have difficulty remembering something, but there is certainly a correlation: you certainly aren't going to argue the chances of remembering "fsd&e" are much greater than remembering "amsdagk3881((@!3ll1..dags8" are you? Similarly, you wouldn't argue that at some point you spent time learning the Gettysburg Address -- it's not simply something you read once and recalled. (If so, this is impressive, and you shouldn't argue this as "normal".) Length of the phrase is certainly tied to the ability to commit it to memory. Yes, I'm repeating this using empirical evidence as I'm slightly too lazy to go look up any of the several articles I've read about how we memorize things and how "brain storage" actually works. There are ways to bypass this to some degree: adding music or tune, creating rhyme, setting to iambic pentameter (or any "rhythmization" for that matter). As computing systems continue to get stronger, the necessity of longer passphrases will increase -- or slower secure algorithms will need to be developed. (Or possibly more fitting algorithms, given the possibility of quantum computing, which may intrinsically provide solutions to some implementation issues following PKI). >> When talking about symmetric cryptography, "four score and seven years >> ago" would probably be a great key. There is no convenient rainbow >> table upon which to do a hash lookup. It's sufficiently expensive to >> brute-force. > > i'm not convinced of this. here's why. i was reading yesterday > about a research-project that built a machine that could try 1 billion > rsa keys/sec. now consider such a machine in the possession of bad > guys. for them it would make sense to harvest nearly every phrase > you can find on the internet and try it. the hard part would be > crawling the net. I certainly have several nonsensical words / names for my cats. None of them contain numbers or punctuation or anything associated with a strong passphrase. The longest of these is probably about 12 characters. And a system that can try a billion RSA keys per second is going to quickly exhaust the relatively short combination of these, even brute forcing. And you're right -- as I also alluded above, the continued computing and mathematical advancements made by society at large will continue to obsolete any statements about what a "good pass phrase" is. Right now, it's length and perceived randomness. People have enough difficulty remembering short passwords. Or creating "good" passwords in the first place. Upper bounds along with enforcing permutations are placed to reduce peoples' likelihood of forgetting them while still providing some level of security. It's not the best approach, but until people start treating passwords like an ATM card with a PIN, it's not going to matter much anyway. (Ignoring that PINs for most cards are only have 9990 or fewer permutations.) --dho > - erik > >
