A better way to think about passwords

[Robert J. Hansen]

On 4/18/2011 11:46 AM, Mark H. Wood wrote:
> It's easy to build gadgets which yield passwords that are
> mathematically very strong.  The problem is that such passwords tend
> to be psychologically and pragmatically weak:  you'll never remember
> "dishGhebJactotCerUnJodNavhahifbobTyWodvacushdojHashJakfawnairvak".

I know lots of people who have memorized their 23-digit credit card +
expiration date + security code.  A Base-64 encoding of a 128-bit hash
algorithm is 22 characters long.

Strong passphrases are well within the realm of human feasibility.  They
just require a level of work most people are not willing to give.  But
if you need a 128-bit passphrase, you can do it: it will just take a few
hours of drill and memorization repeated over a few days.

Really, what it boils down to is this: there are no shortcuts to making
high-entropy easily-human-memorizable passphrases.  Sooner or later,
you've got to pay the piper...

> It tends to make the system's users into another class of adversary
> whose goal is to bypass the complexity rules so he can get logged on
> and do work without first spending an hour trying to recall something
> that looks like line noise.

Not only this, but it also produces an ideal environment for attackers.
 It sets the security administrators up as the enemy of the people who
are actually doing the work -- which means that the people "in the
trenches," so to speak, will develop an us-versus-them culture in which
the security mechanisms are deliberately subverted just in order to get
work done.  In that environment, a malicious attacker who comes in and
begins subverting mechanisms looks no different than an authorized user
who is executing a legitimate task -- and the attacker will likely be
able to deceive authorized users into helping the skulduggery ("hey, can
I borrow your login and password, the damn system's rejecting mine
again...").