[4231] in cryptography@c2.net mail archive
Re: Strengthening the Passphrase Model (was Re: PGP
daemon@ATHENA.MIT.EDU (Bill Stewart)
Mon Feb 22 09:58:00 1999
Date: Sun, 21 Feb 1999 11:22:37 -0800
To: cryptography@c2.net
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <v03110713b2e6cedd10d8@[209.109.236.198]>
At 11:11 PM 2/9/99 -0700, Bill Frantz wrote:
>In the case where PGP suggests a passphrase, perhaps it should suggest a
>poem. People use poetry to remember and pass complex information long
>before the invention of writing. People are good at memorizing poetry.
One vendor at the RSA99 show had a password-replacement program that
flashed up bunches of 9 faces and had you pick the right ones from each set.
They were in random order to discourage shoulder-surfing.
The theory is that human visual memory for recognizing faces is
very good, but ability to describe them to other people is typically weak,
so you can remember your passfaces easily but can't tell them
to someone else or write them down.
It was kind of a cute idea. In practice, it's too wimpy for most
applications, because it's about 1 digit / 3 bits of entropy per set,
and their toolkit was built to hand out four sets,
so it's equivalent to a PIN rather than a password or passphrase
(and was therefore snake-oil material, given the way they were
over-promoting it :-)
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
