
Halting Password Puzzles (2007) [pdf] - jacobkg
https://crypto.stanford.edu/~xb/security07/hkdf.pdf
======
ncmncm
One word: passphrases.

People find it very hard to remember a short password with crap stirred in, or
an eleven-character random string. Remembering three or four random words is
easy, and actually hard to crack. Six words is spy-grade (if actual spies were
any smarter than a toddler).

$ shuf -n 4 /usr/share/dict/words

Stripping off plurals and tenses costs a bit or two of entropy each, but makes
them much easier to remember. If you worry about security, it's much better to
add a word than to make fewer words harder to recall or type.

~~~
bradknowles
Anytime you’re designing a diceware or xkcd “correct-battery-horse-staple”
type of password system, it’s really important to choose your dictionary
really carefully and not make it too big. Humans tend to have a pretty hard
limit around five to ten thousand words that they can remember easily, and the
bigger your dictionary, the harder it is to remember less common words that
might crop up.

And then there is the problem of spelling those words correctly, which is hard
for people with dyslexia or other types of learning difficulties.

If your random number generator can be trusted, then a 10k dictionary gets you
about 13 bits of Entropy in that part of your password. But it takes a lot of
words like that to get into the 128 bit range which is still pretty damn weak
for password security — ten words at 13 bits each would only get you to 130
bits.

And then you run into the problem that most people have difficulty remembering
more than six or seven “objects” for a given entity. This is why local phone
numbers are no more than seven digits long in the North American Numbering
Plan.

All password/passphrase systems are compromises. Even a password management
system is a compromise, because then you have to worry about the maintenance
and security of the password management system on top of all the passwords it
is protecting.

And don’t get me started on biometrics.

