[4158] in cryptography@c2.net mail archive
RE: PGP compromised on Windows 9x?
daemon@ATHENA.MIT.EDU (Jay D. Dyson)
Mon Feb 8 13:00:47 1999
Date: Mon, 8 Feb 1999 09:08:17 -0800 (PST)
From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
To: Cryptography List <cryptography@c2.net>
In-Reply-To: <000001be535a$18f00de0$67c1e0ca@default>
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 8 Feb 1999, Tom Garner wrote:
> It troubles me, how lazy and stupid the average person is. How many
> TIMES do we have to say "don't use a passphrase that is..." or "make
> your passphrase 8 ALPHA-Numeric...".
The key term here is "average." Consider that the "average" user
doesn't care to explore things such as Linux and is instead content to use
only Windows or Macintosh. Consider that the "average" user is perfectly
happy with AOL. Consider that the average person will settle for just
about anything provided that it's easy to use.
Cryptography can be rendered easy to use (a'la NAI's iteration of
PGP which functions as several things, not the least of which is a plug-in
for the Eudora mailer). The only problem is this: when you make something
idiot-proof, idiots will use it. And when idiots use something, idiotic
things happen. That's a simple fact of life.
> I say that it is TIME for programmers to QUIT giving us (and I say us,
> as in all of us), the opportunity to choose a passphrase that can be
> easily guessed by p.phrase hacking techniques.
I personally would never purchase or use a product wherein some
programmer set forth an arbitrary scheme to evaluate my passphrase. For
one thing, I don't need a techno-mommy. For another, I paid for the given
product, so I'd best be in the driver's seat AFAIC.
Sure, I wouldn't mind a confidence-check of some kind on my
passphrases. I know my logic is fallible. But that does not mean I
should surrender my choice to that of a programmer. Just a little *too*
Orwellian for me, thanks.
> Isn't it possible w/out degrading any further on PGP's side the ability
> to have someone enter a passphrase and its either scrambled, or rejected
> for having "English words" in it?
That'd just be adding another layer without improving security.
I've seen it happen countless times before in other circumstances.
Suppose you get this "scrambler." How do you propose that the
idiotic end user remember it? Chances are, if they're your standard-issue
idiot, they'll write it down and leave it in the top drawer of their desk;
or maybe in their billfold. There goes any practical value for that
"added security feature."
> I've been reading for years how the PassPhrase is probably the only weak
> part in PGP, and why? Why GIVE US THE choice? Obviously we are not
> responsible enough to handle PassPhrase correctly.
That the frail among us cannot ambulate does not justify the
mandatory issuance of leg braces to the able-bodied. I for one find said
braces to be uncomfortable, restrictive and a detriment to my mobility.
> I'm sorry to sound a bit harsh, but I'm sick/tired of reading about
> passphrases being weak, and passwords being weak, and there is only one
> reason, that is our laziness.
Laziness is part of nature. Everything follows the path of least
resistance. About the only way to get around this sort of problem is not
to restrict the cryptographic systems, but to encourage people to devise
their own mnemonic strategies by which they can formulate practically
unguessable passphrases that they themselves can readily remember based on
how they recall things. I have had phrases in the past that were utterly
nonsensical to the average person but I can still recall with great
clarity. The best part is that they were unguessable because they were
comprised of three languages and they conveyed thoughts I never shared
with anyone, not even my ex-wives.
Eh...so I'm a strange little monkey. At least my girlfriend
thinks I'm cute. ;)
- -Jay
( ______
)) .-- "There's always time for a good cup of coffee." --. >===<--.
C|~~| (>-- Jay D. Dyson -- jdyson@techreports.jpl.nasa.gov --<) | = |-'
`--' `-- As a matter of fact, I *am* a rocket scientist. --' `-----'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNr8aDLl5qZylQQm1AQGftwP+PnDjm6QoPLnigwcUgPVNHLLFq7vw/++Y
gXlVTBY+Dgay2mcSUhTexmT99hV2u+KCnWB/h+q/fusfafZK0y/hs63krqiMF6zT
svddozakDck5DE52RQInP4NHK4r4xpCBiS5OzE8YxNqyHu6FKZTfDm2jnwD+VPcn
tsffcoCY7oA=
=zd/h
-----END PGP SIGNATURE-----
