[148718] in cryptography@c2.net mail archive
Re: [Cryptography] Passwords are dying - get over it
daemon@ATHENA.MIT.EDU (Arnold Reinhold)
Wed Dec 25 17:00:34 2013
X-Original-To: cryptography@metzdowd.com
From: Arnold Reinhold <agr@me.com>
Date: Wed, 25 Dec 2013 15:40:54 -0500
To: Bill Frantz <frantz@pwpconsult.com>,
Jonathan Thornburg <jthorn@astro.indiana.edu>
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============7226853841676208278==
Content-type: multipart/alternative;
boundary="Apple-Mail=_AFDCDFD6-A47D-4841-8EF4-76E65547424A"
--Apple-Mail=_AFDCDFD6-A47D-4841-8EF4-76E65547424A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 24 Dec 2013 15:27 Bill Frantz wrote:
> On 12/24/13 at 1:36 PM, agr@me.com (Arnold Reinhold) wrote:
>=20
>> You get 120-bits with 7 Diceware words and 30 bits of=20
>> stretching, close enough to full 128-bit strength, and three=20
>> words fewer than are needed without any key stretching, e.g.:
>>=20
>> hamlin jig cub naiad frey allyn pig
>>=20
>> Those three fewer words can make the difference between a=20
>> passphrase that an ordinary person can remember and an burden=20
>> most will shun. The vital role key stretching plays can be=20
>> thought of as impedance matching crypto security systems to=20
>> human memory capabilities.
>=20
> This is a password that I will have to be entering every day or=20
> write down. (I'm an old man and my memory isn't as good as it=20
> used to be.) There are three words, hamlin, naiad, and allyn=20
> that I, as a native English speaker can't define. (The spell=20
> checker fails hamlin and allyn.) I'd have to learn to spell at=20
> least two of them.
>=20
> The need for entropy in passwords has already passed my=20
> diminished abilities. If you're looking for universal adoption,=20
> there's a problem.
Hamlin and Allyn are proper names. Many short name are included in the =
Diceware(tm) list to keep the average word length low. Other word lists =
are possible of course. And looking up an unfamiliar word can be an aid =
to memorization. The "never write down your password" stricture has been =
widely debunked. Most people need dozens of passwords. It is =
unreasonable to expect users to memorize more than a few high strength =
passwords, perhaps just their hard drive and password manager master =
passwords. Strong KDFs would help for both uses.
24 Dec 2013 Jonathan Thornburg asked:
>=20
> What are the advantages & disadvantages of this (diceware) vs the old
> "think of a long sentence or phrase, and take the 1st letter of each =
word"
> scheme. E.g. "FDR was elected to 3 full terms as US president & also
> served part of a 4th term, but he was never vice-president" gives
> Fwet3ftaUp&aspoa4t,bhwnv-p
> That's 26 characters, with surely at least 4 bits of =
entropy/character,
> so we're comfortably over 100 bits of entropy.
There is no theoretical basis for the "at least 4 bits of entropy per =
character" you claim. People following the advice you cite are likely to =
use phrases in published works, such as books or songs, with predictable =
variations. The most common examples, such as popular quotes and lyrics, =
are likely already in password cracking tables. Also the initial =
characters in English words are even less uniformly distributed than =
English text in general.=20
The entropy in Diceware word selection is a demonstrable 12.9 bits per =
word assuming a strong source of randomness, such as dice, is used. =
Diceware users are not asked to think up something unpredictable. It is =
well established that people are lousy at that.
I just posted to my blog (diceware.blogspot.com) a different approach, =
which is to generate a string of 10 random letters and then make up a =
mnemonic sentence that has those letters as its initial letters, using a =
simple table. The sentences can be a bit wonky, and 10 random letters =
have only 47 bits of entropy, but with a good key stretcher that could =
be enough for may uses. Here is an example:
mngjkwyufk
"Mary's nice goats joyously keep wimpy youths urging fast karma"
For more entropy, one can insert random numbers before the noun clauses, =
e.g.
=09
m81ngjk74wyufk
"Mary's 81 nice goats joyously keep 74 wimpy youths urging fast =
karma"=20
Four random digits adds 13 bits of entropy, bringing us up to 60 bits. =
If still more is needed, one can use two sentences, or come up with a =
scheme for something longer, like a random poem or haiku.
Again, the random string is the password, the sentence is just an aid =
for memorization. Password formats are a matter of taste. It's good to =
have more than one strong option.
Arnold Reinhold
--Apple-Mail=_AFDCDFD6-A47D-4841-8EF4-76E65547424A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;">On 24 Dec 2013 15:27 Bill Frantz =
wrote:<div><blockquote type=3D"cite">On 12/24/13 at 1:36 PM, <a =
href=3D"mailto:agr@me.com">agr@me.com</a> (Arnold Reinhold) =
wrote:<br><br><blockquote type=3D"cite">You get 120-bits with 7 Diceware =
words and 30 bits of <br>stretching, close enough to full 128-bit =
strength, and three <br>words fewer than are needed without any key =
stretching, e.g.:<br><br>hamlin jig cub naiad frey allyn =
pig<br><br>Those three fewer words can make the difference between =
a <br>passphrase that an ordinary person can remember and an =
burden <br>most will shun. The vital role key stretching plays can =
be <br>thought of as impedance matching crypto security systems =
to <br>human memory capabilities.<br></blockquote><br>This is a =
password that I will have to be entering every day or <br>write =
down. (I'm an old man and my memory isn't as good as it <br>used to =
be.) There are three words, hamlin, naiad, and allyn <br>that I, as =
a native English speaker can't define. (The spell <br>checker fails =
hamlin and allyn.) I'd have to learn to spell at <br>least two of =
them.<br><br>The need for entropy in passwords has already passed =
my <br>diminished abilities. If you're looking for universal =
adoption, <br>there's a problem.</blockquote><br></div><div>Hamlin =
and Allyn are proper names. Many short name are included in the =
Diceware(tm) list to keep the average word length low. Other word lists =
are possible of course. And looking up an unfamiliar word can be an aid =
to memorization. The "never write down your password" stricture has been =
widely debunked. Most people need dozens of passwords. It is =
unreasonable to expect users to memorize more than a few high strength =
passwords, perhaps just their hard drive and password manager master =
passwords. Strong KDFs would help for both =
uses.</div><div><br></div><div>24 Dec 2013 Jonathan Thornburg =
asked:</div><div><blockquote type=3D"cite"><br>What are the advantages =
& disadvantages of this (diceware) vs the old<br>"think of a long =
sentence or phrase, and take the 1st letter of each word"<br>scheme. =
E.g. "FDR was elected to 3 full terms as US president & =
also<br>served part of a 4th term, but he was never vice-president" =
gives<br> Fwet3ftaUp&aspoa4t,bhwnv-p<br>That's 26 characters, =
with surely at least 4 bits of entropy/character,<br>so we're =
comfortably over 100 bits of entropy.</blockquote><br></div><div>There =
is no theoretical basis for the "at least 4 bits of entropy per =
character" you claim. People following the advice you cite are likely to =
use phrases in published works, such as books or songs, with predictable =
variations. The most common examples, such as popular quotes and lyrics, =
are likely already in password cracking tables. Also the initial =
characters in English words are even less uniformly distributed than =
English text in general. </div><div><br></div><div>The entropy in =
Diceware word selection is a demonstrable 12.9 bits per word assuming a =
strong source of randomness, such as dice, is used. Diceware users are =
not asked to think up something unpredictable. It is well established =
that people are lousy at that.</div><div><br></div><div>I just posted to =
my blog (<a =
href=3D"http://diceware.blogspot.com">diceware.blogspot.com</a>) a =
different approach, which is to generate a string of 10 random letters =
and then make up a mnemonic sentence that has those letters as its =
initial letters, using a simple table. The sentences can be a bit =
wonky, and 10 random letters have only 47 bits of entropy, but with a =
good key stretcher that could be enough for may uses. Here is an =
example:</div><div><pre class=3D"data" style=3D"margin-left: 2em; =
font-size: 13px; background-color: rgb(255, 255, =
255);">mngjkwyufk</pre><div><span class=3D"Apple-tab-span" =
style=3D"white-space:pre"> </span>"Mary's nice goats joyously keep =
wimpy youths urging fast karma"</div></div><div><br></div><div>For more =
entropy, one can insert random numbers before the noun clauses, =
e.g.</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre"> =
</span></div><div><div><span class=3D"Apple-tab-span" =
style=3D"white-space: pre;"> </span><span style=3D"background-color: =
rgb(255, 255, 255); font-size: =
13px;">m81ngjk74wyufk</span></div><div><span style=3D"background-color: =
rgb(255, 255, 255); font-size: 13px;"><br></span></div><div><span =
class=3D"Apple-tab-span" style=3D"white-space:pre"> </span>"Mary's =
81 nice goats joyously keep 74 wimpy youths urging fast =
karma" </div><div><br></div></div><div>Four random digits adds 13 =
bits of entropy, bringing us up to 60 bits. If still more is needed, one =
can use two sentences, or come up with a scheme for something =
longer, like a random poem or haiku.</div><br>Again, the random string =
is the password, the sentence is just an aid for =
memorization. Password formats are a matter of taste. =
It's good to have more than one strong option.<br><br>Arnold =
Reinhold<br><br><div><div><br></div><div><br></div></div></body></html>=
--Apple-Mail=_AFDCDFD6-A47D-4841-8EF4-76E65547424A--
--===============7226853841676208278==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============7226853841676208278==--
