Another is that, although they’re harder to type because they’re longer, they’re easier to type because they don’t have a bunch of punctuation and uppercase letters, which are harder to type on some smartphones (and slower to type on a regular keyboard). And while I’m at it, one more minor advantage (not relevant for people making up their own passwords) is that the average person does not know punctuation characters very well, e.g., does not know the difference between a slash and a backslash.
They may be easier to type the first few times, but after your “muscle memory” gets it even the trickiest line noise is a breeze.
That smartphone thing is a good point, though. My phone is my greatest security risk because of this problem. Probably should ditch the special characters.
Yes, no one should use line noise passwords because they are hard to type. If you want 100 bits in your password, you should not use 16 characters of line noise. But maybe you should use 22 lower case letters.
The xkcd cartoon is correct that the passwords people do use are much less secure than they look, but that is not relevant to this comparison. And lparrish’s links say that low entropy pass phrases are insecure.
But why do you want 100 bit passwords? The very xkcd cartoon you cite says that 44 bits is plenty. And even that is overkill for most purposes. Another xkcd says “The real modern danger is password reuse.” Without indicating when you should use strong passwords, I think this whole thread is just fear-mongering.
According to the Diceware FAQ, large organizations might be able to crack passphrases 7 words or less in 2030. Of course that’s different from passwords (where you have salted hashes and usually a limit on the number of tries), but I think when it comes to establishing habits / placing go-stones against large organizations deciding to invest in snooping to begin with, it is worthwhile. Also, eight words isn’t that much harder than four words (two sets of four).
One specific use I have in mind where this level of security is relevant is bitcoin brainwallets for prospective cryonics patients. If there’s only one way to gain access to a fortune, and it involves accessing the memories of a physical brain, that increases the chances that friendly parties would eventually be able to reanimate a cryonics patient. (Of course, it also means more effort needs to go into making sure physical brains of cryonics patients remain in friendly hands, since unfriendlies could scan for passphrases and discard the rest.)
What I meant is that those properties are specific to the secret part of login information used for online services, as distinct from secret information used to encrypt something directly.
How are salting and limits properties of passwords (but not passphrases)?
Sorry, what I meant is something more like like ‘encryption phrases’ and ‘challenge words’. Either context could in principle refer to a word or a phrase, actually. However, when you are encrypting secret data that needs to stay that way for the long term, such as your private PGP key, it is more important to pick something that can’t concievably be brute forced, hence the usage of the term ‘passphrase’ usually applies to that. If someone steals your hard drive or something, your private key will only stay private for as long as the passphrase you picked is hard to guess, and they could use that to decrypt any incoming messages that used your public key.
When you are simply specifying how to gain access to an online service, it is a bit less crucial to prevent the possibility of brute forcing (so a shorter ‘password’ is sort of okay), but it is crucial for the site owner to use things like salt and collision-resistant hash functions to prevent preimage attacks, in the event that the password-hash list is stolen. (Plaintext passwords should never be stored, but unsalted hashes are also bad.)
If someone was using a randomly generated phrase of 4+ words or so for their ‘password’, salt would be more or less unnecessary due to the extremely high probability that it is unique to begin with. This makes for one less thing you have to trust the site owner for (but then, you do still have to trust that they aren’t storing plaintext, that the hash they use is collision-resistant, etc).
I’m not sure if it is possible to use salt with something like PGP. I imagine the random private key is itself sufficient to make the encrypted key as a whole unique. Even if the passphrase itself were not unique, it would not be obvious that it isn’t until after it is cracked. The important thing to make it uncrackable is that it be long and equiprobable with lots of other possibilities (which incidentally tends to make it unique). Since the problem isn’t uniqueness to begin with, but rather the importance of it never being cracked even with lots of time and brute force, salt doesn’t do a lot of good.
Bitcoin private keys are bound to the number of bits of entropy stored in the public address, which I believe is 122 or so. Since the presence of coins at a public address is public information, brute force attacks should be expected to track the cost of computing power / the value of coins stored. It seems to be pretty good security for the near term, but Douglas_Knight predicts that quantum computers will break bitcoin. (Presumably later versions will be more robust against quantum computers, or something other than bitcoin will take dominance.)
In any case, while I have been calling the phrase used for a bitcoin brainwallet a ‘passphrase’, and it is more in that category than not (being important to protect from brute force, not having a salt, and not being part of a login sequence), note that it is unlike a PGP passphrase in that it represents the seed for the key in its entirety rather than something used to encrypt the key.
Yes, there are some uses. I’m not convinced that you have any understanding of the links in your first comment and I am certain that that it was a negative contribution to this site.
If you really are doing this for such long term plans, you should be concerned about quantum computers and double your key length. That’s why NSA doesn’t use 128 bits. Added: but in the particular application of bitcoin, quantum computers break it thoroughly.
I am certain that that it was a negative contribution to this site.
Well, that’s harsh. My main intent with the links was to show that the system for picking the words must be unpredictable, and that password reuse is harmful. I can see now that 8-word passphrases are useless if the key is too short or there’s some other vulnerability, so that choice probably gives us little more than a false sense of security.
in the particular application of bitcoin, quantum computers break it thoroughly.
This is news to me. However, I had heard that there are only 122 bits due to the use of RIPEMD-160 as part of the address generation mechanism.
I am certain that that it was a negative contribution to this site.
Rudeness doesn’t help people change their minds. Please elaborate what you mean by this. Even if he’s wrong, the following discussion could be a positive contribution.
I think the main advantage is that they’re easier to memorize.
Another is that, although they’re harder to type because they’re longer, they’re easier to type because they don’t have a bunch of punctuation and uppercase letters, which are harder to type on some smartphones (and slower to type on a regular keyboard). And while I’m at it, one more minor advantage (not relevant for people making up their own passwords) is that the average person does not know punctuation characters very well, e.g., does not know the difference between a slash and a backslash.
They may be easier to type the first few times, but after your “muscle memory” gets it even the trickiest line noise is a breeze.
That smartphone thing is a good point, though. My phone is my greatest security risk because of this problem. Probably should ditch the special characters.
Yes, no one should use line noise passwords because they are hard to type. If you want 100 bits in your password, you should not use 16 characters of line noise. But maybe you should use 22 lower case letters.
The xkcd cartoon is correct that the passwords people do use are much less secure than they look, but that is not relevant to this comparison. And lparrish’s links say that low entropy pass phrases are insecure.
But why do you want 100 bit passwords? The very xkcd cartoon you cite says that 44 bits is plenty. And even that is overkill for most purposes. Another xkcd says “The real modern danger is password reuse.” Without indicating when you should use strong passwords, I think this whole thread is just fear-mongering.
According to the Diceware FAQ, large organizations might be able to crack passphrases 7 words or less in 2030. Of course that’s different from passwords (where you have salted hashes and usually a limit on the number of tries), but I think when it comes to establishing habits / placing go-stones against large organizations deciding to invest in snooping to begin with, it is worthwhile. Also, eight words isn’t that much harder than four words (two sets of four).
One specific use I have in mind where this level of security is relevant is bitcoin brainwallets for prospective cryonics patients. If there’s only one way to gain access to a fortune, and it involves accessing the memories of a physical brain, that increases the chances that friendly parties would eventually be able to reanimate a cryonics patient. (Of course, it also means more effort needs to go into making sure physical brains of cryonics patients remain in friendly hands, since unfriendlies could scan for passphrases and discard the rest.)
I don’t understand what you mean by this. How are salting and limits properties of passwords (but not passphrases)?
What I meant is that those properties are specific to the secret part of login information used for online services, as distinct from secret information used to encrypt something directly.
Sorry, what I meant is something more like like ‘encryption phrases’ and ‘challenge words’. Either context could in principle refer to a word or a phrase, actually. However, when you are encrypting secret data that needs to stay that way for the long term, such as your private PGP key, it is more important to pick something that can’t concievably be brute forced, hence the usage of the term ‘passphrase’ usually applies to that. If someone steals your hard drive or something, your private key will only stay private for as long as the passphrase you picked is hard to guess, and they could use that to decrypt any incoming messages that used your public key.
When you are simply specifying how to gain access to an online service, it is a bit less crucial to prevent the possibility of brute forcing (so a shorter ‘password’ is sort of okay), but it is crucial for the site owner to use things like salt and collision-resistant hash functions to prevent preimage attacks, in the event that the password-hash list is stolen. (Plaintext passwords should never be stored, but unsalted hashes are also bad.)
If someone was using a randomly generated phrase of 4+ words or so for their ‘password’, salt would be more or less unnecessary due to the extremely high probability that it is unique to begin with. This makes for one less thing you have to trust the site owner for (but then, you do still have to trust that they aren’t storing plaintext, that the hash they use is collision-resistant, etc).
I’m not sure if it is possible to use salt with something like PGP. I imagine the random private key is itself sufficient to make the encrypted key as a whole unique. Even if the passphrase itself were not unique, it would not be obvious that it isn’t until after it is cracked. The important thing to make it uncrackable is that it be long and equiprobable with lots of other possibilities (which incidentally tends to make it unique). Since the problem isn’t uniqueness to begin with, but rather the importance of it never being cracked even with lots of time and brute force, salt doesn’t do a lot of good.
Bitcoin private keys are bound to the number of bits of entropy stored in the public address, which I believe is 122 or so. Since the presence of coins at a public address is public information, brute force attacks should be expected to track the cost of computing power / the value of coins stored. It seems to be pretty good security for the near term, but Douglas_Knight predicts that quantum computers will break bitcoin. (Presumably later versions will be more robust against quantum computers, or something other than bitcoin will take dominance.)
In any case, while I have been calling the phrase used for a bitcoin brainwallet a ‘passphrase’, and it is more in that category than not (being important to protect from brute force, not having a salt, and not being part of a login sequence), note that it is unlike a PGP passphrase in that it represents the seed for the key in its entirety rather than something used to encrypt the key.
Disclaimer: I’m not an expert in crypto.
Yes, there are some uses. I’m not convinced that you have any understanding of the links in your first comment and I am certain that that it was a negative contribution to this site.
If you really are doing this for such long term plans, you should be concerned about quantum computers and double your key length. That’s why NSA doesn’t use 128 bits. Added: but in the particular application of bitcoin, quantum computers break it thoroughly.
Well, that’s harsh. My main intent with the links was to show that the system for picking the words must be unpredictable, and that password reuse is harmful. I can see now that 8-word passphrases are useless if the key is too short or there’s some other vulnerability, so that choice probably gives us little more than a false sense of security.
This is news to me. However, I had heard that there are only 122 bits due to the use of RIPEMD-160 as part of the address generation mechanism.
Rudeness doesn’t help people change their minds. Please elaborate what you mean by this. Even if he’s wrong, the following discussion could be a positive contribution.