Re: Newbie question on encryption keys



On Sat, 28 Jul 2007 02:01:26 +0200, Ertugrul Soeylemez wrote:

Ari <arisilverstein@xxxxxxxxx> (07-07-25 09:58:10):

Would you consider either of these serious passwords?

6:Q?-jiF6:Q?-jiF
6:Q?-jiFFij-?Q:6

Not really. Probably they are impractical to break for a random
attacker, but it's still safer to use a completely random string
without repetition. Then it also doesn't have to be so long.

I suppose this is the crux of my argument. On the order of
practicality, it is best to have the shortest possible password
(easiest to remember). You will need to have several (all eggs in one
basket = no good). so the shorter the better.

Unless the examples above, again rearranged so to be easily remembered
are, or combined into 32 character passwords...

Where is the point of best safety? One must assume a powerful
adversary to find that point. Or do we ever really know?

You have to assume that every attacker already has some information
about you or your password. Probably he knows that you are using
repetition patterns in all or many of your passwords, which makes
attacking it much easier.

Think of your adversary standing behind you while you type in your
password. He doesn't see what password you're typing, but he certainly
hears the repetition patterns. If you're using SSH challenge-response
authentication, then he might even sniff the traffic to find that out,
because it reveals the pauses between key-presses.

Regards,
Ertugrul Söylemez.

That's a good lesson, Er, thanks.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/
.