2010/6/29 Steve Simon <st...@quintile.net>: >> But you can do at least as good as these forms of ID. PKI requires >> knowledge of some sort of passkey. (I just worry about identification >> for people who are not smart enough to pick a good key. Which, >> unfortunately, is also most people. > > My understanding is a passkey just needs sufficent entropy in order to be > strong.
Sure. But you can still brute-force a 4-character passkey in a reasonably short time. > This can be a few characters drawn from a larger characterset - your password > must > be no more than 16 chars and must contain upper and lower case numbers and > punctuation. > > Alternatively it could be a long string made up of a restricted character set > - your > pass phrase can consist of any text characters but must not contain long > repitations > and be of at least 200 characters long (say). This works, but tends to be easy to get out of people or figure out about people if you know a bit about them. > Thus a passphrase may be a quote from your favorite movie, a lyric or the > like. This > can then be hashed into a higher entropy string (is this statement true?) > used for > authentication. > > I don't understand why modern security systems have an upper limit on > passphrase length. Because people can't remember passwords, and companies don't like employing full-time password changers. --dho > (waits for people who know better to tell him he is dumb). > > -Steve > >