[Q] Diceware password size

Ryan Malayter rmalayter@bai.org
Tue May 27 22:56:02 2003

From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20
>If I make sure that breaking my passphrase is=20
>harder than putting a key-logger, all I have to=20
>make sure is that putting a key-logger is more=20
>expensive than the value of my data.

This is going to be very hard for you to do. Almost every OS can be
remotely compromised by a skilled hacker if you allow any connections
from the Internet at all. There is undoubtedly a buffer overflow
somewhere in the service you use. The "hack this box" contests security
companies use to show of their wares routinely end in hours.

A foreign attacker could easily bribe a local thief to break into your
house for a few hundred dollars. They could write a virus, worm, patch,
or game that includes a keystroke logger that you unwittingly install
yourself. You may say, "I only use open-source software", but do you
review each line of code yourself, or simply trust the PGP signature on
the package came from someone trustworthy? Putting a keystroke logging
program into your machine in this way is not too expensive or difficult
for an organization with the right skills; the recent file-sharing
viruses actually do this.

This is why *really* secure systems need to be on isolated networks in
extremely physically secure locations. The U.S. Department of Defense,
CIA, FBI, and NSA, Britain's MI5, Russia's CSR, and the Israeli Mossad
are probably still the leaders in this area.