Security of message when private key is exposed but password
isn't?
Mark H. Wood
mwood@IUPUI.Edu
Wed Aug 28 15:59:01 2002
On 28 Aug 2002, Konrad Podloucky wrote:
> "[...] Remember, though, that there are only about 1.4 bits of
> randomness per character in standard English. You're going to want at
> least an 64-character passphrase to make this secure; I recommend at
> least 80 characters, just in case. Sorry; you just can't get good
> security with a shorter key.[...]" (from Bruce Schneier's "The Solitaire
> Encryption Algorithm" http://www.counterpane.com/solitaire.html)
>
> Personally I like to use quotes, stupid riddles or passages from books
> as passphrases (it's pretty easy to remember phrases with a length of
> 100 characters that way).
[drifting offtopic]
There's a nice little gadget called 'apg' which will crank out FIPS-181
passwords up to 255 characters long. FIPS-181 passwords are supposed to
be always pronounceable, which helps a lot in remembering them. I'm told
that the OpenVMS command SET PASSWORD/GENERATE uses the same algorithm
(which is why I hunted down 'apg' -- that's one of the things I really
missed when they took my VMS away.)
http://www.adel.nursat.kz/apg/
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".