= 27d567bc2d48d9f40e9ccc20ea370b15)
lsparrish comments on Open Thread, October 13 - 19, 2013 - Less Wrong Discussion
You are viewing a comment permalink. View the original post to see all comments and the full post content.
= 783df68a0f980790206b9ea87794c5b6)
Loading…= b715d02e85f7b3b4ae65ca3d3e450868)
Subscribe to RSS Feed
Powered by Reddit
= f037147d6e6c911a85753b9abdedda8d)
You are viewing a comment permalink. View the original post to see all comments and the full post content.
Comments (247)
I recently memorized an 8-word passphrase generated by Diceware.
Given recent advances in password cracking, it may be a good time to start updating your accounts around the net with strong, prescriptively-generated passphrases.
Added: 8-word passphrases are overkill for most applications. 4-word passphrases are fairly secure under most circumstances, and the circumstances where in which they are not may not be helped by longer passphrases. The important thing is avoiding password reuse and predictable generation mechanisms.
I find it much easier to use random-character passwords. Memorize a few, then cycle them. You'll pretty much never have to update them. If you can't memorize them all, use software for that.
The "dictionary attacks" sentence is a non sequitur. The number of possible eight-word Diceware passwords is within an order of magnitude of the number of possible 16-character line noise passwords.
You're right, removed it. I'm not sure I understand why people prefer using passphrases though. Isn't it incredibly annoying to type them over and over again?
I think the main advantage is that they're easier to memorize.
Another is that, although they're harder to type because they're longer, they're easier to type because they don't have a bunch of punctuation and uppercase letters, which are harder to type on some smartphones (and slower to type on a regular keyboard). And while I'm at it, one more minor advantage (not relevant for people making up their own passwords) is that the average person does not know punctuation characters very well, e.g., does not know the difference between a slash and a backslash.
They may be easier to type the first few times, but after your "muscle memory" gets it even the trickiest line noise is a breeze.
That smartphone thing is a good point, though. My phone is my greatest security risk because of this problem. Probably should ditch the special characters.
Yes, no one should use line noise passwords because they are hard to type. If you want 100 bits in your password, you should not use 16 characters of line noise. But maybe you should use 22 lower case letters.
The xkcd cartoon is correct that the passwords people do use are much less secure than they look, but that is not relevant to this comparison. And lparrish's links say that low entropy pass phrases are insecure.
But why do you want 100 bit passwords? The very xkcd cartoon you cite says that 44 bits is plenty. And even that is overkill for most purposes. Another xkcd says "The real modern danger is password reuse." Without indicating when you should use strong passwords, I think this whole thread is just fear-mongering.
According to the Diceware FAQ, large organizations might be able to crack passphrases 7 words or less in 2030. Of course that's different from passwords (where you have salted hashes and usually a limit on the number of tries), but I think when it comes to establishing habits / placing go-stones against large organizations deciding to invest in snooping to begin with, it is worthwhile. Also, eight words isn't that much harder than four words (two sets of four).
One specific use I have in mind where this level of security is relevant is bitcoin brainwallets for prospective cryonics patients. If there's only one way to gain access to a fortune, and it involves accessing the memories of a physical brain, that increases the chances that friendly parties would eventually be able to reanimate a cryonics patient. (Of course, it also means more effort needs to go into making sure physical brains of cryonics patients remain in friendly hands, since unfriendlies could scan for passphrases and discard the rest.)
I don't understand what you mean by this. How are salting and limits properties of passwords (but not passphrases)?
What I meant is that those properties are specific to the secret part of login information used for online services, as distinct from secret information used to encrypt something directly.
Yes, there are some uses. I'm not convinced that you have any understanding of the links in your first comment and I am certain that that it was a negative contribution to this site.
If you really are doing this for such long term plans, you should be concerned about quantum computers and double your key length. That's why NSA doesn't use 128 bits. Added: but in the particular application of bitcoin, quantum computers break it thoroughly.
Well, that's harsh. My main intent with the links was to show that the system for picking the words must be unpredictable, and that password reuse is harmful. I can see now that 8-word passphrases are useless if the key is too short or there's some other vulnerability, so that choice probably gives us little more than a false sense of security.
This is news to me. However, I had heard that there are only 122 bits due to the use of RIPEMD-160 as part of the address generation mechanism.
Rudeness doesn't help people change their minds. Please elaborate what you mean by this. Even if he's wrong, the following discussion could be a positive contribution.
There are 7776 words in Diceware's dictionary. Would you rather memorize 8 short words, 22 letters (a-z case insensitive), or 16 characters (a-z case sensitive, plus numerals and punctuation marks?)
If I really had to type them in myself every time I wanted to use them, 16 random characters absolutely. Repeatedly typing the 8 words compared to 16 characters probably takes more time in the long run than memorizing the random string. Memorizing random letters isn't significantly easier in my experience than memorizing random characters.