[4183] in cryptography@c2.net mail archive
Re: Strengthening the Passphrase Model
daemon@ATHENA.MIT.EDU (Nick Szabo)
Wed Feb 10 14:13:55 1999
Date: Wed, 10 Feb 1999 00:42:14 -0800
To: "Arnold G. Reinhold" <reinhold@world.std.com>, cryptography@c2.net
From: Nick Szabo <szabo@best.com>
In-Reply-To: <v03130304b2e6ba8da48e@[24.128.119.92]>
Two equally important passphrase desiderata are memorability
and unguessability. Crude syntax checks can be silly:
"BibleBeast666" will pass most tests but it wouldn't
be very secure on a theological seminary's computers.
Less obvious alphanumeric pass "words" are more likely to
be written down than memorized. These jumbles make a
very poor format for entropy which is both memorable and
unguessable.
Mother's maiden name, Social Security number, and the like
are quite lame from the point of view of strong security
and entropy. They shine in being both quite
memorable to the user and largely unique to the user.
This is why banks and brokerages authorizing access to
$100,000's use them with a success rate sufficient for
their needs, no matter how much we bitch about it.
One could generalize from their success to teach a
cognitive discipline of passphrases which are more
memorable than alphanumeric gibberish but less obvious
than these old standbys.
We all have a tremendous storehouse of memories both
vivid and unique to ourselves. But we haven't
been trained in how to recognize them. We could
create from cognitive science simple steps for
generating passphrases. These phrases, optimized
for human brains rather than for computers or sequential-logical
notions of syntax and entropy, would be far less guessable
than SSNs and far more memorable than alphanumeric gibberish.
First security experts ourselves have to recognize
and accept that passphrases are a matter of practical
psychology, not a matter of measurable entropy,
syntax checks, or asking people to think sequentially
like computers.
Despite the room for cognitive improvements, the real entropy of
passphrases will increasingly be far more limited than what
computers can brute force. Whenever possible, effort should
be put into making small entropy passwords less guessable from the
clues we must maintain available to attackers. Two examples are
(a) storing the hashed password as a pseudorandom expansion which
must be recalculated each time, delaying each user authentication by a
small factor, but by a large factor for brute force searches, or
(b) using the resulting key or hashed password only for authentications
where the number of attempts can be limited.
Despite our best efforts, many users still simply won't
care much about security. The long run answer for them may
lie not in forcing them to do things they can't or won't do,
but in designing our security architectures to better
encapsulate workspaces, so that they and not other users
bear the consequences of their weak passwords. For
a security model which encourages such encapuslation, see
for example http://www.erights.org.
szabo@best.com
http://www.best.com/~szabo/
PGP D4B9 8A17 9B90 BDFF 9699 500F 1068 E27F 6E49 C4A2
