At 3:04 PM -0800 12/5/2000, Ray Dillinger wrote:
>On Tue, 5 Dec 2000, Arnold G. Reinhold wrote:
>
...
> >I believe there are applications where a passphrase generated key is
>>preferable.
>
>>I think a standard such as Mr. Simpson suggests is a worthwhile idea.
>>No one is forced to use a standard just because it exists. One size
>>does not fit all. However I would propose including an option for key
>>stretching in any such standard. Key stretchers can bridge the gap
>>between what people are willing to memorize and reasonable levels of
>>security.
>
>Uh, no. A dictionary attacker can stretch his guesses in exactly
>the same way, so there is no security from a so-called "password
>stretcher".
It is good that you raise this point, but I believe it is easily
dealt with. The essence of the dictionary attack is that it allows
the attacker to spread his investment in creating and storing the
dictionary over multiple attacks. The standard way to break that up
is to use salt. There is a straightforward way to apply the salt
principle in this case. The user merely has to append a non-secret
but relatively unique string to his secret passphrase before it is
hashed. This can be something very familiar to him, such as his phone
number, e-mail address, automobile license tag or social security
number. Key generation software can prompt for this information
separately.
>
>On the other hand, long passphrases that are *not* random gibberish
>are easy to remember. As children, many of us (Americans in the
>midwest) were called upon to memorize documents like the constitution,
>word for word. Even the "special" kids got through the Preamble to
>the Declaration of Independence. I remember standing up and reciting
>"Annabell Lee" when I was a sixth-grader. Now those documents, along
>with all of Shakespeare, are too well known to serve as keys. But
>we are all capable of writing a piece of original prose or poetry and
>memorizing the sucker. Sixty, eighty words -- that's easy. A thousand
>is do-able with some time and effort. A hundred words of verse, if it's
>original and you've never spoken it or shown it to anyone, is a pretty
>damn secure passphrase.
If you are comfortable memorizing 100 words of original verse and
typing it in accurately each time you need to enter a passphrase,
more power to you; but I believe you represent a tiny minority of
users. My extended tirade on this subject is at
http://www.diceware.com
>
>So be conservative with how much entropy you get from the keyphrase
>(my preferred standard is about 1 to 1.33 bits per character), ignore
>spacing and punctuation, and let the text entry for the passphrase
>be a big honkin' text block instead of a teeny little forty-character
>line. If someone wants to enter "sex" as a password, s/he deserves
>what s/he gets (although you may put up an "insecure passphrase"
>warning box for him/her). But if they want to use the entirity of
>a poem in Latin that they made up about their job, the implementor
>shouldn't stand in their way.
>
I don't trust that 1.33 bit per character estimate for made up
passphrases (people are far more predictable than they like to
believe), but I agree that users should be allowed to employ long
passphrases if they wish.
Arnold Reinhold
