Dear Linkedin,

Joel jaeggli joelja at bogus.com
Sun Jun 10 07:03:43 UTC 2012


On 6/8/12 16:05 , Alec Muffett wrote:
>> Does anybody have a good URL explaining that idea?  It's been
>> kicking around for many years.  I've never seen a convincing
>> writeup.
> 
> I've tried to do that in another mail - it's in the realms of
> philosophy more than strategy; like if you're a really security-aware
> person and take great care you can probably stretch the useful life
> of a password out to _years_ - but how typical are *you* in that
> instance?

I have a slide in a presentation I give about oncea year that goes
something like:

How good does a password/phrase have to be in order to
protect against brute-force or dictionary attacks against the
password itself?
● Entropy in language.
– A typical english sentence has 1.2 bits of entropy per
character, you need 107 characters to get a statistically
random md5 hash.
– Using totally random english characters you need 28
characters.
– Using a random distribution of all 95 printable ascii
characters you need 20 characters.
● Observation, good passwords are hard to come by.



>> Does your bank request/require that you change the PIN on your ATM
>> card every few months?
> 
> ATM cards are not passwords, they are a coarse form of two-factor
> authentication - You have the card, you have the PIN.
> 
> You have to possess both in order to transact - at least in in
> theory.
> 
> Compare that with the secrecy surrounding the CVV - the "last three
> digits on the number on the back of the card" which you are "not
> meant to tell anyone" and which _will_ be different if your card is
> lost/stolen and reissued.
> 
> Now _that_ is a password.
> 
>> Security is a tradeoff.  I think there are two cases for passwords.
>> I'll call them important and junk.  I'm willing to store the junk
>> ones in a file or piece of paper that I'm careful with.  I have to
>> memorize the important ones.
> 
> You know, that's not bad.  I am pro-paper for long passwords.  I am
> even-more pro "password safes".
> 
>> I'm only smart enough to memorize a few good passwords.  If I
>> change them every few months, they will be less good, or fewer of
>> them.
> 
> It's harder as we get old.  Use technology to aid with the heavy
> lifting.  :-)
> 
> -a
> 
> 
> 
> 






More information about the NANOG mailing list