Re: Should be in crypto for criminals Re: just stupid?

Crypto_at_S.M.S
Date: 07/16/05 

Date: Sat, 16 Jul 2005 17:50:43 +1000

Joseph Ashwood wrote:
> <Crypto@S.M.S> wrote in message news:11dgk9cgnm68ka9@news.supernews.com...
>
>>Besides, memorising pass phrases is not necessary. This is from the
>>current Crypto-Gram newsletter from Bruce Schneier:
>>
>> Last month, Microsoft's Jesper Johansson made the news when he urged
>> people to write down their passwords. This is good advice, and I've
>> been saying it for years.
>>
>> Simply, people can no longer remember passwords good enough to
>> reliably defend against dictionary attacks, and are much more secure
>> if they choose a password too complicated to remember and then write
>> it down. We're all good at securing small pieces of paper. I
>> recommend that people write their valuable passwords down on a small
>> piece of paper, and keep it with their other valuable small pieces of
>> paper: in their wallet. Obscure it somehow if you want added
>> security: write "bank" instead of the URL of your bank, transpose
>> some of the characters, leave off your userid. This will give you a
>> little bit of time if you lose your wallet and have to change your
>> passwords. But even if you don't do any of this, writing down your
>> impossible-to-memorize password is more secure than making your
>> password easy to memorize.
>>
>>There is no need to memorise anything, even though it is quite easy.
>
>
> Your threat model specifically excludes this, remember it's a part of your
> threat model that these individuals have to be searchable by law
> enforcement, the written passwords would function in same way as a verified
> key ring.
>

Written pass phrases are just scraps of paper,
not necessarily identifiable as such. Also note
that the above quote suggests further obscuring
what is written down.

>
>>2 bits? Again you oversimplify. 50 characters of mixed text has
>>more than 2 bits of entropy. You once quoted 1 bit per character.
>>Make up your mind.
>
>
> That was when I assumed you were simply using a random english word, once it
> became clear you were using the same word over and over, the word lost all
> it's entropy, originally I also assumed the sequence of numbers and misc
> characters was reasonably random, since it is not, it loses almost all of
> it's entropy as well.
>

No one is using the same pass phrase over & over.
It was the same example being given over & over to
a reader who is having trouble understanding a very
simple concept. Please be clear. It was only a
single example of using a nonsense word as a pass
phrase. Stop assuming anything about pass phrases,
except that they are based on a 16 bit character
set (i.e. UniCode). They are not random English
words, not the same word, not even a human language.
And they may contain upper/lower case, numbers, punctuation.

>
>>>>That's not the pass phrase generator.
>>
>>That is "A" generator posed as an example.
>
>
> And your point being that all you can do is not understand what is being
> said. You have advocated a specific passphrase generator as an example of
> something "good" you have since shown that it is flawed beyond any
> reasonable use.
>
>
>>No upper case, but there could have been. When attempting to brute
>>force a pass phrase, you have no idea what case of letters were in use.
>>Actually, you can not even assume that the letters are Latin, since
>>CryptoSMS runs on a UniCode machine.
>
>
> You keep going to that "but it's not necessarily English" without
> understanding why that doesn't matter in any way. The given user will have a
> given language, the result being that for that given language the biases are
> known and exploitable. Because your system is very effective at requiring
> low entropy passphrases this exploitation of the system becomes amazingly
> simple. Your own example of a passphrase generation scheme was actually
> worse than any assumptions would have given it.
> Joe
>
>

My point was that the pass phrase need not be in any human language.
Regardless of what language the messages may be written in.
The statement "that given language the biases are known and exploitable"
has no meaning when in reference to nonsensical pass phrases because
there is no "given language". Stop making assumptions.

Relevant Pages

  • Platitude as attitude - modern American language
    ... American language that offers surprising insights into why we talk the ... advertising, politics, and business mine the language for these phrases ... that its latest software is a "no-brainer," this bright, snappy ... The very term road rage, for instance, has made us ...
    (uk.philosophy.humanism)
  • Platitude as attitude - modern American language
    ... American language that offers surprising insights into why we talk the ... advertising, politics, and business mine the language for these phrases ... that its latest software is a "no-brainer," this bright, snappy ... The very term road rage, for instance, has made us ...
    (uk.philosophy.humanism)
  • Re: Should be in crypto for criminals Re: just stupid?
    ... memorising pass phrases is not necessary. ... > people to write down their passwords. ... You have advocated a specific passphrase generator as an example of ...
    (sci.crypt)
  • Re: Your help requested with colloctations
    ... It's about collocations - multi-word combinations such as the ones you're using above, and which native speakers use every day - 'mother tongue' is a good example, as is 'abundantly clear'. ... way we learn language in multi-word elements and learn which words go together. ... Is 'make the bed' a cliche? ... that have appeared in its columns, including just the sort of phrases you ...
    (uk.media.radio.archers)
  • Re: New Technology from Sensory allows English Lessons on Handheld Devices
    ... Check http://www.GyrusLogic.com who has the natural language ... Sensory Marketing wrote: ... > technology that is implemented on low cost chips. ... > phrases and to allow a Chinese speaker to compare his/her recorded ...
    (sci.lang)