A better way to think about passwords

Mark H. Wood mwood at IUPUI.Edu
Mon Apr 18 19:02:05 CEST 2011 

On Mon, Apr 18, 2011 at 12:11:24PM -0400, Robert J. Hansen wrote:
> On 4/18/2011 11:46 AM, Mark H. Wood wrote:
> > It's easy to build gadgets which yield passwords that are
> > mathematically very strong.  The problem is that such passwords tend
> > to be psychologically and pragmatically weak:  you'll never remember
> > "dishGhebJactotCerUnJodNavhahifbobTyWodvacushdojHashJakfawnairvak".
> 
> I know lots of people who have memorized their 23-digit credit card +
> expiration date + security code.  A Base-64 encoding of a 128-bit hash
> algorithm is 22 characters long.

Oh, sure -- I do that too.  But the CC memorization problem seems a
lot easier.  First, it's all digits, not a typical Base64 mishmash.
Second, it's not a 23-digit number; it's a 16-digit number, a date,
and a 3-digit number.  The hardest part by far is the 16-digit number.
But since that number doesn't have any particular meaning to me *as a
number*, it can be further broken down to a sequence of four
four-digit sequences.  Four four-digit numbers, a date, and a
three-digit number doesn't sound difficult at all -- it's only six
symbols.  Chunking at useful level(s) can greatly assist learning.

OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg=="
they are not readily visible to me.  My eye tends to slide right past
it without taking anything in.

This is why I tend to use something like APG to generate strings of
nonsense *syllables*.  If I can pretend it's a word, it's a lot easier
for me to learn, because can I learn a handful of syllables instead of a
long patternless jumble of individual characters.  It engages auditory
memory and can expose verbal handles for association.

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20110418/d12641a3/attachment.pgp>

More information about the Gnupg-users mailing list