Hacker News new | past | comments | ask | show | jobs | submit login
Halting Password Puzzles (2007) [pdf] (stanford.edu)
10 points by jacobkg 11 months ago | hide | past | web | favorite | 2 comments

One word: passphrases.

People find it very hard to remember a short password with crap stirred in, or an eleven-character random string. Remembering three or four random words is easy, and actually hard to crack. Six words is spy-grade (if actual spies were any smarter than a toddler).

$ shuf -n 4 /usr/share/dict/words

Stripping off plurals and tenses costs a bit or two of entropy each, but makes them much easier to remember. If you worry about security, it's much better to add a word than to make fewer words harder to recall or type.

Anytime you’re designing a diceware or xkcd “correct-battery-horse-staple” type of password system, it’s really important to choose your dictionary really carefully and not make it too big. Humans tend to have a pretty hard limit around five to ten thousand words that they can remember easily, and the bigger your dictionary, the harder it is to remember less common words that might crop up.

And then there is the problem of spelling those words correctly, which is hard for people with dyslexia or other types of learning difficulties.

If your random number generator can be trusted, then a 10k dictionary gets you about 13 bits of Entropy in that part of your password. But it takes a lot of words like that to get into the 128 bit range which is still pretty damn weak for password security — ten words at 13 bits each would only get you to 130 bits.

And then you run into the problem that most people have difficulty remembering more than six or seven “objects” for a given entity. This is why local phone numbers are no more than seven digits long in the North American Numbering Plan.

All password/passphrase systems are compromises. Even a password management system is a compromise, because then you have to worry about the maintenance and security of the password management system on top of all the passwords it is protecting.

And don’t get me started on biometrics.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact