A better way to think about passwords
Mark H. Wood
mwood at IUPUI.Edu
Mon Apr 18 19:02:05 CEST 2011
On Mon, Apr 18, 2011 at 12:11:24PM -0400, Robert J. Hansen wrote:
> On 4/18/2011 11:46 AM, Mark H. Wood wrote:
> > It's easy to build gadgets which yield passwords that are
> > mathematically very strong. The problem is that such passwords tend
> > to be psychologically and pragmatically weak: you'll never remember
> > "dishGhebJactotCerUnJodNavhahifbobTyWodvacushdojHashJakfawnairvak".
> I know lots of people who have memorized their 23-digit credit card +
> expiration date + security code. A Base-64 encoding of a 128-bit hash
> algorithm is 22 characters long.
Oh, sure -- I do that too. But the CC memorization problem seems a
lot easier. First, it's all digits, not a typical Base64 mishmash.
Second, it's not a 23-digit number; it's a 16-digit number, a date,
and a 3-digit number. The hardest part by far is the 16-digit number.
But since that number doesn't have any particular meaning to me *as a
number*, it can be further broken down to a sequence of four
four-digit sequences. Four four-digit numbers, a date, and a
three-digit number doesn't sound difficult at all -- it's only six
symbols. Chunking at useful level(s) can greatly assist learning.
OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg=="
they are not readily visible to me. My eye tends to slide right past
it without taking anything in.
This is why I tend to use something like APG to generate strings of
nonsense *syllables*. If I can pretend it's a word, it's a lot easier
for me to learn, because can I learn a handful of syllables instead of a
long patternless jumble of individual characters. It engages auditory
memory and can expose verbal handles for association.
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the Gnupg-users