I think the author of the page was on his way to saying something important but got sidetracked. Whether his math works or not is secondary to the bit I think is important.
It's easy to build gadgets which yield passwords that are mathematically very strong. The problem is that such passwords tend to be psychologically and pragmatically weak: you'll never remember "dishGhebJactotCerUnJodNavhahifbobTyWodvacushdojHashJakfawnairvak". Instead you'll wind up writing it on a scrap of paper and carrying it with you, and any pickpocket could take it. The essence of a password or passphrase is that it is something you just learn, so that it cannot be taken from you without violence. So an "all-around strong" key generation method must take into account psychology as well as cryptology. Its output must at the same time be easy to learn, difficult to guess, and infeasible to calculate. The obscured point in the article is that insisting solely on ever-increasing mathematical complexity is psychologically unsound. It tends to make the system's users into another class of adversary whose goal is to bypass the complexity rules so he can get logged on and do work without first spending an hour trying to recall something that looks like line noise. A legitimate user should not have to crack his own password more than three or four times in a decade. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart.
pgp7xMBBe8cbB.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users