Security of message when private key is exposed but password isn't?

Mark H. Wood mwood@IUPUI.Edu
Wed Aug 28 15:59:01 2002

On 28 Aug 2002, Konrad Podloucky wrote:
> "[...] Remember, though, that there are only about 1.4 bits of
> randomness per character in standard English. You're going to want at
> least an 64-character passphrase to make this secure; I recommend at
> least 80 characters, just in case. Sorry; you just can't get good
> security with a shorter key.[...]" (from Bruce Schneier's "The Solitaire
> Encryption Algorithm"
> Personally I like to use quotes, stupid riddles or passages from books
> as passphrases (it's pretty easy to remember phrases with a length of
> 100 characters that way).

[drifting offtopic]
There's a nice little gadget called 'apg' which will crank out FIPS-181
passwords up to 255 characters long.  FIPS-181 passwords are supposed to
be always pronounceable, which helps a lot in remembering them.  I'm told
that the OpenVMS command SET PASSWORD/GENERATE uses the same algorithm
(which is why I hunted down 'apg' -- that's one of the things I really
missed when they took my VMS away.)

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".