[148645] in cryptography@c2.net mail archive
Re: [Cryptography] Passwords are dying - get over it
daemon@ATHENA.MIT.EDU (Bill Cox)
Mon Dec 23 18:18:00 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52B86169.3020403@borg.org>
Date: Mon, 23 Dec 2013 12:07:25 -0500
From: Bill Cox <waywardgeek@gmail.com>
To: Kent Borg <kentborg@borg.org>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6903379877080858883==
Content-Type: multipart/alternative; boundary=089e015384d67c941e04ee36a931
--089e015384d67c941e04ee36a931
Content-Type: text/plain; charset=ISO-8859-1
On Mon, Dec 23, 2013 at 11:14 AM, Kent Borg <kentborg@borg.org> wrote:
> Using a private key has three problems I see:
>
> 1. Another opportunity for an attacker: the key file.
>
> 2. Now I need to manage all the places I store key files.
>
> 3. The passphrase protecting the private key needs to be much stronger
> than does a password because there is a limit on how fast a password can be
> checked because the server will throttle attempts. Yes, you are talking
> about key strengthening, but I still want a lot of real entropy in my base
> passphrase, just in case the strengthening isn't so good. Something worth
> 128-bits of entropy is a pain to remember and type. But a password can be
> pretty short and still good (for example, 4-digit ATM PINs).
>
I agree with all these points. However, github and other sites I visit
often require a public ssh key. A lot of git managment tools require
public ssh keys to work, and I one linux server I manage that has many
users who log in with ssh keys as a result. A decent high entropy pass
phrase is just too hard to type every time I want to log onto these
servers, so my security is weak. Grr...
> P.S. Passwords can be pretty easy to type, or have lots of entropy in
> them: but then they get long and hard to type without errors--and hard to
> remember. For example, this has 128-bits of entropy in it (as it was
> mechanically and created out of 128-bits of /dev/urandom by a reversible
> coding):
>
> e195-16-explore-xray-comet-8bd7-orinoco-reward-canvas-72-
> strong-spain-poker
>
That's one heck of a password. A randomly generated password can gaurentee
security, but I'm to lazy to type that sort of monster every time!
> Remembering a series of three randomly chosen words is easy, there always
> seems to be a meaning that can be associated with them, but to "curve fit"
> an idea through many such random words is hard. And typing with only
> bullet characters as feed back is error-prone.
>
If the word table has the most common 2^13 (8K) words, then such a pass
phrase has 39 bits of entropy. That's not bad if the KDF were scrypt
running in 1G of memory for a second. A $1B scrypt stretcher running on a
password guesser that knows you have 3 words chosen from the list of 10,000
would likely take an hour and a half to crack this. In reality, such a
machine probably does not yet exist, so you'd be safe for now. However, if
it's just AES-256 for 2048 rounds, a cheap 1T-hash/second machine (for only
$10,000 using BitCoin ASICs) enables guessing at a rate of 500M
guesses/second, and would crack this in 19 minutes. That's not much
security! That's why I'm promoting a switch to better KDFs, like scrypt.
I look forward to seeing the result of the upcoming competition.
--089e015384d67c941e04ee36a931
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On M=
on, Dec 23, 2013 at 11:14 AM, Kent Borg <span dir=3D"ltr"><<a href=3D"ma=
ilto:kentborg@borg.org" target=3D"_blank">kentborg@borg.org</a>></span> =
wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im"><span style=3D"color:rgb(3=
4,34,34)">Using a private key has three problems I see:</span><br></div>
<br>
1. Another opportunity for an attacker: the key file.<br>
<br>
2. Now I need to manage all the places I store key files.<br>
<br>
3. The passphrase protecting the private key needs to be much stronger than=
does a password because there is a limit on how fast a password can be che=
cked because the server will throttle attempts. Yes, you are talking about =
key strengthening, but I still want a lot of real entropy in my base passph=
rase, just in case the strengthening isn't so good. =A0Something worth =
128-bits of entropy is a pain to remember and type. =A0But a password can b=
e pretty short and still good (for example, 4-digit ATM PINs).<br>
</blockquote><div><br></div><div>I agree with all these points. =A0However,=
github and other sites I visit often require a public ssh key. =A0A lot of=
git managment tools require public ssh keys to work, and I one linux serve=
r I manage that has many users who log in with ssh keys as a result. =A0A d=
ecent high entropy pass phrase is just too hard to type every time I want t=
o log onto these servers, so my security is weak. =A0Grr...</div>
<div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex">
P.S. =A0Passwords can be pretty easy to type, or have lots of entropy in th=
em: but then they get long and hard to type without errors--and hard to rem=
ember. =A0For example, this has 128-bits of entropy in it (as it was mechan=
ically and created out of 128-bits of /dev/urandom by a reversible coding):=
<br>
<br>
e195-16-explore-xray-comet-<u></u>8bd7-orinoco-reward-canvas-72-<u></u>stro=
ng-spain-poker<br></blockquote><div><br></div><div>That's one heck of a=
password. =A0A randomly generated password can gaurentee security, but I&#=
39;m to lazy to type that sort of monster every time!</div>
<div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex">
Remembering a series of three randomly chosen words is easy, there always s=
eems to be a meaning that can be associated with them, but to "curve f=
it" an idea through many such random words is hard. =A0And typing with=
only bullet characters as feed back is error-prone.<br>
</blockquote></div><br></div><div class=3D"gmail_extra">If the word table h=
as the most common 2^13 (8K) words, then such a pass phrase has 39 bits of =
entropy. =A0That's not bad if the KDF were scrypt running in 1G of memo=
ry for a second. =A0A $1B scrypt stretcher running on a password guesser th=
at knows you have 3 words chosen from the list of 10,000 would likely take =
an hour and a half to crack this. =A0In reality, such a machine probably do=
es not yet exist, so you'd be safe for now. =A0However, if it's jus=
t AES-256 for 2048 rounds, a cheap 1T-hash/second machine (for only $10,000=
using BitCoin ASICs) enables guessing at a rate of 500M guesses/second, an=
d would crack this in 19 minutes. =A0That's not much security! =A0That&=
#39;s why I'm promoting a switch to better KDFs, like scrypt. =A0I look=
forward to seeing the result of the upcoming competition.</div>
</div>
--089e015384d67c941e04ee36a931--
--===============6903379877080858883==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6903379877080858883==--
