Slashdot Mirror

Me code pretty some day
A voice in the wilderness
http://world.std.com/~swmcd/st...

Just to update the discussion, on March 15, Bruce Schneier's newsletter contained a mention of the same advice described above:

"First, don't choose a guessable password. This is more than not using 'password1' or 'qwerty'; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the XKCD scheme[*] or the Schneier scheme, and to use large random passwords stored in a password manager for everything else."
https://www.schneier.com/crypt...

* Note: The "XKCD scheme" is more of a vague concept than a true system and could be done in a way that results in a not-very-secure password. A more rigorous system based on the "XKCD scheme" is described by Diceware passwords: http://world.std.com/~reinhold...

I use DiceWare.

http://world.std.com/~reinhold...

http://world.std.com/~reinhold...
"Entropy of 64.6 bits is breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)
77.5 bits may be breakable by an organization with a very large budget, such as a large country's security agency."

And, as someone else noted, this is based on TRUE RANDOMNESS. Everyone I referred to was using the opposite of a random generation scheme; they were describing a decidely specific and NONRANDOM method for generating a password that *looked* random:

https://treskal.com/kha/blog/2...
How Much Entropy in That Password ::
"This means that there are two ways to make a secure password: use a template the password crackers don’t know about (or don’t bother to try, because so few people use it for their passwords), or use any old template and feed it with enough random bits. The former strategy relies on outwitting smart people who spend much of their time coming up with better ways to crack passwords; the latter just takes more coin flips. It’s security by obscurity vs. real security."

That's because that very old advice is obsolete. The XKCD password scheme considered dangerous by security experts..

Thank you for the Schneier post. That was a very interesting read. I included the XKCD comic to explain the critique of pseudo-random password templates, and I noted that Schneier linked to an article that explained very eloquently the point I was trying to make about using the weakness of using elaborate "templates" to generate random seeming passwords:

"This means that there are two ways to make a secure password: use a template the password crackers don’t know about (or don’t bother to try, because so few people use it for their passwords), or use any old template and feed it with enough random bits. The former strategy relies on outwitting smart people who spend much of their time coming up with better ways to crack passwords; the latter just takes more coin flips. It’s security by obscurity vs. real security."

Then, Schneier recommended the use of his own tool PasswordSafe to generate random passwords, as did I. So far, we are on the same page. =)

Finally though there is the question of how to generate a good, secure master password for your password manager. Note that I did not include XKCD in order to recommend their passphrase generation method! (This is the method that Schneier criticized.) Instead, I included a link to an article about Diceware passwords. Diceware uses the philosophy just described in the snippet about whereby even if the attacker knows you used it, there is still too much guaranteed entropy for them to successfully attack it.

For metrics on the *lower bound entropy* (thanks, Schneier) of Diceware, here is a link:
http://world.std.com/~reinhold...

"A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits. (Four words only provide 51.6 bits, about the same as an 8 character password made up of random ASCII characters. Both are breakable in less than a day with two dozen graphics processors.) Inserting one extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.kelength.com). Needless to say, projections for the far future have the most uncertainty.

        Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)

        Six words may be breakable by an organization with a very large budget, such as a large country's security agency.

        Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.

        Eight words should be completely secure through 2050."

In short, when I can tell why individual consumers
Know best who should approve their drugs and who should treat their tumors;
Why civilized existence in its intricate confusion
Will be simple and straightforward, absent government intrusion;
Why markets cannot err within the system I've described,
Why poor folk won't be bullied and why rich folk won't be bribed,
And why all vast inequities of power and position
Will vanish when I wave my wand and utter "COMPETITION!"---

He's so much more exciting than a common politician,
Inequities will vanish when he hollers "Competition!"

How congress broke daylight savings time

Diceware.com Dice-Indexed Passphrase Word List

http://world.std.com/%7Ereinhold/dicewarewordlist.pdf

.

I've nothing but contempt for ideologies collectivist,
(My own ideas of social good tend more toward the Objectivist).

See http://world.std.com/~reinhold/diceware.html and https://en.wikipedia.org/wiki/Diceware.

Works for me, and is free (since I still have all my D&D dice) - it takes a little work on the user's part, but isn't your security worth it?

Bruce Schneier isn't usually wrong about this stuff, but it seems he's serverely mistaken into what the XKCD/Diceware method actually is. You're choosing four words totally randomly from a list of ten thousand or so. Knowing someone is using the diceware method, their password will (still) have 51 bits of security, way more secure than most passwords and even the scheme that he describes in the blog post.

The physical dice are there to provide true randomness. Diceware actually recommends casino dice. In fact, they explicitly say: Do not use a computer program or electronic dice generator.

The advice is only wrong that he said "common words" and didn't give a random procedure for picking - the size of the dictionary matters, and expecting humans to be random without some help isn't reliable.

There are several online generators based on the method, and if you don't trust that, there is the Diceware method which uses 5 dice (or 1 die rolled 5 times) to randomly pick words off a list.

The average user isn't going to have (or be able to write) a secure random word selector. He's going to look at the "new password" field and think up 4 words, and they're almost certain to be related somehow.

The Diceware method can be done with a downloaded word list file and some dice. If, as the article suggests, one is only using memorizable passwords where absolutely necessary, this method is neither burdensome nor difficult for even the most 'average' of users.

Just because the author asserts that the password system is broken doesn't make Randall Munroe's point about passwords incorrect. "At least one security researcher rejects that theory." What theory does he reject? It's simple math that shows that Munroe's method is better for creating stronger passwords (at least for the average user), but that has nothing to do with relying on password managers...

In addition, he seems to miss a rather key point about the xkcd method. He goes on about "users should not be choosing passwords" (which is correct), but note that the xkcd comic says 'four random common words'. In other words, in order to follow this method, the user would not be arbitrarily choosing a password but having it generated instead, by for instance using the Diceware method. The core idea is that a human being can much more easily memorize a randomly generated 4-5 word passphrase, as evidenced by the fact that we all seem to remember 'correct horse battery staple'. Yes, password managers are a great tool to handle the ever-growing array of passwords we must manage in our digital lives, but that doesn't preclude the idea that for those 5% of passwords he concedes must be memorized that Munroe's method is not a superior method in those cases, especially since he seems to fundamentally misunderstand it.

I meant log2(5000^4), of course.

Well, not to waste this comment, gonna plug for Diceware as a nice freely available ~7k word dictionary organised for passphrase generation. Oh yeah, and it doesn't contain "refined", still.

The Diceware method is a good process it makes me uncomfortable to use a nice preformatted set of words to make a passphrase out of. Attackers could build a rainbow table pretty easily (and we know not enough people salt their database hashes) with a few PB of disk space. Why not make new Diceware lists from less common words, and change it every so often? It would require the same process but offer a lot more entropy.

Also w.r.t. your earlier claims about the top 5000 words, check that list again (you no doubt used the one from http://www.wordfrequency.info/...) there are only actually 4352 words in that list, it contains duplicates due to homographs.

I meant log2(5000^4), of course.

Well, not to waste this comment, gonna plug for Diceware as a nice freely available ~7k word dictionary organised for passphrase generation. Oh yeah, and it doesn't contain "refined", still.

FORTRAN was -- for some still is-- the 'Perl' of scientific computing. Get it in and get it done... and it doesn't always compile down very tight, but always fast because for mainframe developers getting this language optimized for a new architecture was first priority.

At 15, the first real structured program I ever de-constructed completely while teaching myself the language, was the FORTRAN IV source for Crowther and Woods Colossal Cave Adventure, widely regarded as 'the' original interactive text adventure, a genre which would later go multi-user to become the MUD. Read about it here, or play it in Javascript.

Crowther's PDP-11 version was running on the 36-bit GE-600 mainframes of GEISCO (General Electric Information Services) Mark III Foreground timesharing system... this is in the golden age of timesharing and no one did it better than GE. It took HOURS at 300bps and two rolls of thermal paper to print out the source and data files, and I laid it out on the floor and traced the program mentally, keeping a notebook of what was stored in what variable... I had far more fun doing this than playing the game itself.

FORTRAN IV and Dartmouth BASIC (I'll toss in RPG II also) were the 'flat' GOTO-based languages, an era of explicit rather than implicit nesting -- a time in which high level functions were available to use or define but humans needed to plan and implement the actual structure in programs mentally by using conditional statements and numeric labels to JUMP over blocks of code. Sort of "assembly language with benefits".

When real conditional nesting and completely symbolic labeling appeared on the scene, with good string handling, it was a walk in the park.

Since Snowden's revelation about the NSA's clandestine $10 million contract with RSA,

If you're on NSA's radar you've got bigger problems than TrueCrypt's trustworthiness or lack thereof. The NSA doesn't have to have a back door into AES (or the other algorithms) when they have an arsenal of zero day exploits, side channel attacks, social engineering, and TEMPEST techniques at their disposal. The average user should be far more concerned about these attack vectors (from any source, not just NSA) than the security of the underlying encryption algorithm.

The Diceware FAQ sums up the problem rather succinctly: "Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day."

You are correct of course. Thanks for pointing that out. I should have written "proof". Likely Tart puts it better. To agree with you, from:
http://rationalwiki.org/wiki/A...
"There are a few caveats to take into account to refine what a lack of supporting evidence says about a hypothesis. Absence of evidence is not necessarily strong evidence that outright disproves the hypothesis in the way that an observation that contradicts the hypothesis would be. ... As such, absence of evidence acting against a hypothesis is only a probabilistic approach and works best in a full Bayesian-style framework, which also takes into account other probabilities and other evidence."

== Some rambles on weighing the meaning of absence of evidence in US society

First, Tart claims evidence os paranormal activity from research studies. People may dispute that including by questioning the studies, so let's just assume there still is no evidence for the sake of discussion.

An important factor in weighing the meaning of the absence of evidence is the intense competition for research funds which is increasingly corrupting science. See: http://www.its.caltech.edu/~dg...
"Peer review is usually quite a good way to identify valid science. Of course, a referee will occasionally fail to appreciate a truly visionary or revolutionary idea, but by and large, peer review works pretty well so long as scientific validity is the only issue at stake. However, it is not at all suited to arbitrate an intense competition for research funds or for editorial space in prestigious journals."

For example, when Pons and Fleischmann submitted their "cold fusion" results to a peer review process for grant funding, it turned out one of the reviewers was working in the same area and was about to publish on it. This conflict (whoever is most at fault) ultimately lead to the press conference announcement (against the scientist's preferences) at the university wanted to claim priority on the discovery (via creating artificial scarcity through patents). A handful of hot-fusion scientists (especially at MIT) after fairly brief and limited attempts then claimed the results could not be duplicated an that failure to replicate was essentially proof that Pons and Fleischmann were wrong and "cold fusion" could not exists given popular conceptions of nuclear physics at the time. Pons and Fleishmann may have been wrong in several ways, including in calling it "fusion" of any sort and also in their neutron measurements. But these were expert chemists well experienced in heat measurements and that part of what they did was likely valid, and likely they did detect excess heat. But for *decades* any mention of doing cold fusion research became academic suicide based on the handful of failures to replicate by people whose short-term interests were served by not finding results. Only a few (mostly older, tenured) people continued to work on that. Related:
http://newenergytimes.com/v2/r...
http://www.e-catworld.com/2014...
http://undsci.berkeley.edu/art...

"Cold Fusion" (now LENR) Research has been picking up in the last few years though, such as with this LENR conference ironically at MIT:
http://world.std.com/~mica/201...

Another example is when Halton Arp was denied telescope time to pursue his "electric universe" ideas. Ignaz Semmelweis is another example from centuries ago, where his evidence of how to prevent disease by hand-washing was dismissed as in conflict with conceptions of health and disease at the time.

Another means to educate the jurors - one that does not include any references at all to either litigant's products - should be chosen.

I think the Wright Brothers patent war with Glenn Curtis would be a good start, and then this...

http://world.std.com/~swmcd/st...

Humans are diurnal (dI-UR-nal).
It means we sleep when it's dark and wake when it's light. (compare nocturnal)

The primary purpose of DST is to keep our scheduled wake time (as determined by school, work, etc) close to sunrise.
Everything else (energy savings! more shopping hours!) is just confusion and wishful thinking.

The controlling factor isn't east-west, it's north-south.
The further north you go, the more sunrise time varies with the seasons, and the more an adjustment like DST helps.

Stuffing the whole country into two time zones is a non-fix for a non-problem.

See also
How congress broke Daylight Savings Time
http://world.std.com/~swmcd/steven/letters/dst.html

Combinations of words, such as the famous "horsebatterystaple" or the lesser known "walruspusflange", while suggested to extend the length of a password and reduce its susceptibility to brute forcing techniques, may nevertheless leave it vulnerable to directory combining attacks. Common passwords attached to each other sometimes reveal other passwords.

A silly and false assertion. Assume standard passwords in use. Your "dictionary" would consist of a list of characters ([A-Za-z]), digits ([0-9]), and punctuation. I don't know how many tokens that is, but let's say it's less than a 100. So you end up with a "dictionary" of 100 tokens.

The passphrase "dictionary" at Diceware consists of 7776 tokens. There is simply no way the argument can be made that a "dictionary" of 100 tokens is somehow more secure than a "dictionary" of 7776 tokens, provided that tokens are selected randomly from either dictionary. That's the key, randomness. Not what you use as your tokens.

Flying to Orbit, with an update for SpaceShipOne
http://world.std.com/~swmcd/steven/stories/orbit.html

How congress broke daylight savings time
A letter to my congressional representatives
http://world.std.com/~swmcd/steven/letters/dst.html

You may have a problem with true random number generation if you let a computer pick for you.

You could try diceware instead -- it's pretty unlikely you'll end up with dice that have some kind of vulnerability built into them that will compromise your password picks. Plus it costs a tiny fraction of a true random number generation card.

http://world.std.com/~reinhold/diceware.html

If you had people generate a four word pass phrase, it's quite likely that most of them would contain only words from a relatively small subset of the English language.

You can get better results by picking the words at random, like the Diceware method does.

I suspect you'd get significantly better passwords on the average by having sites suggest passwords for the user, though I also guess people would forget their password more often.

Maybe some research is needed on generating memorable yet high-entropy passphrases.

The trouble with the pass phrase concept is that the whole words just become tokens. Most people's vocabulary is not that large.

That's why you use a standardized list of tokens (mostly words, but some non-word tokens as well) such as Diceware. With 7776 tokens, the keyspace is far larger than the "normal 7 character" password. The trick is to ensure that you are choosing the tokens randomly. You can use dice, your favorite random number generator, etc. I use several 4- and 5-token passphrases that I have remembered literally for years, each one unique. Type them enough times, and muscle memory takes care of the rest. Even after a period of non-use, it amazes me how my fingers will remember the passphrase but yet I can't recall the passphrase itself.

It's not just the tests.
Textbooks have similar problems.

Critique of a bad physics text
Prentice Hall's Science Explorer: Motion, Forces and Energy
http://world.std.com/~swmcd/steven/rants/textbook.html

This doesn't take Diceware passwords into account, only user generated phrases (eg. song lyrics etc).

Good luck bruteforcing this: curb dope yl wz 39 niche a simple 6 word passphrase generated by diceware, which has about 98.6 bits of entropy

I stopped being a libertarian when I realized it wasn't workable, and that it never worked. Mike Huben has a great Non-Libertarian FAQ and Critiques of Libertarianism.

I actually try that xkcd password now on any word list I use. First...;-)

That approach is Diceware, BTW,
http://world.std.com/~reinhold/diceware.html
http://happycattech.com/book/security-applications-0 (MS Excel and OpenOffice Calc implementations)

if you really want to encrypt something securely, you have to use a much larger keyspace, which, in this case, means generating a complete 256-bit key rather than deriving one from an ASCII password.

What do you protect your 256-bit key with? You obviously can't store it in plaintext anywhere on an electronic device that might be compromised. You can use hardware key fobs, TPM modules, sticky notes, smart cards, etc. All of those have similar problems protecting the secure key from attackers. Even using public key cryptography requires the private keys to be secured in some way.

Ultimately the best known method of protecting private information like cryptographic keys is a secret known only to the owner of the public key; a password. Pass-phrases are even better because it is much easier to add entropy to a memorable passphrase. diceware pass-phrases are a reasonable method of choosing secure passphrases, although a 5 word diceware pass-phrase only has about 65 bits of entropy which is probably a little short today. Change the case of a letter or two in each word for an extra bit of entropy per letter, and insert numbers/symbols between words for another couple bits per insertion. Add a sixth or seventh word if you want even more bits. It should not be hard to create a memorable pass-phrase with over 80 bits of entropy. While a far cry from 256 bits, it is unlikely to be brute forced by anyone short of a national agency within the next couple decades.

Using PBKDF2 to protect the data key further increases the work needed to brute force the password/pass-phrase space. Although in the case of archives it makes little difference whether a 256-bit random key is generated for data encryption or if the PBKDF2 derived key is used directly. There are no known weak keys for AES which means that the extra step of decrypting the 256-bit key with the PBKDF2 key corresponds to only a tiny fraction of the total workload for an attacker without any significant benefits, especially if the encrypted 256-bit data key is sent along with the archive. A benefit of using the PBKDF2 derived key is that there is less need for a source of secure random bits in the encryption utility. If there is a problem obtaining 256 cryptographically random bits during the key generation process then no passphrase will be sufficient to protect the contents of the encrypted file. The recent attack on Debian and Ubuntu ssh keys due to improper cryptographic random number generation should serve as a reminder that cryptographic randomness is hard and should only be relied on if absolutely necessary.

This should be required reading for anyone interested in getting into internet debates with libertarians:

http://world.std.com/~mhuben/libindex.html - Critiques of libertarianism.

(It should also be required reading for anyone who actually buys into that incoherent nonsense.)

See how ridiculous you become when you try to mock free market?

No. You might as well box the first two paragraphs of your post and caption them "straw man".

I see nothing wrong with letting everyone do anything that does not harm others.

The catch here will be how you define "does not harm others".

I don't agree with taxing people to create goods and services that could be provided voluntarily.

Government and its services are provided voluntarily. How many people are forced to work in government? Or do you mean funded voluntarily? Because the people choose to use what income you regard simplistically as "mine, all mine!" but which is only yours because the same people have decided that you are entitled to some of it.

It's only through GOVERNMENT INTERVENTION that copyrights and patents exist.

It's only through GOVERNMENT INTERVENTION (caps, bold and "write this down carefully" make you sound like an insane zealot) that (i) any sort of property is recognised; and (ii) the scope of property is limited. The free market in pre-Civil War southern states, for example, resulted in the view that some humans could be regarded as property.

Go away, read this, then argue with the people who contributed to it. Your opinions and their foundations have been heard and refuted a thousand times.

It's not so clear. Also posted somewhere in this thread this text [http://world.std.com/~reinhold/p=np.txt] might help you understand the matter.

The polish SF writer Stanislaw Lem has predicted the evolution of warfare we're observing today as far back as 1986:

The really interesting essay of the three, and the one with the greatest connection to the rest of Lem's work, is the middle one, "The Upside-Down Evolution." Lem announces that, by unspecified means, he's gotten hold of "a military history of the twenty-first century," and proceeds to describe the advent and evolution of warfare by micro- and nano-robots.

It's been some time since I read it, but I recall him having envisioned evolution of war machinery as it became more and more miniaturized and swarm-like, until it was completely impossible to know if and who was attacking who. A country was able to e.g. form giant undetectable light-focusing lens overlaid in the upper layers of the atmosphere to influence agricultural yield of another country and affect its economy without needing to resort to direct contact and observable violence.

Very interesting to see the actual 21st century technology follow the exact path predicted by Stanislaw Lem. And we're only at its beginning.

All in all, a recommended read (like many other works by Lem).

He's so much more exciting than a common politician,
Inequities will vanish when he hollers "Competition!"

This is just a recapitulation of the early days of radio broadcasting. The big players fought each other tooth and nail, and eventually formed a patent cabal to stifle innovation and keep smaller competitors out of the marketplace. Lawsuits based on the shakiest imaginable IP flew like arrows at Thermopylae, and at least one pioneering figure in wireless tech was driven to suicide.

That was the better part of a century ago. The patent system was abused by incumbents to protect their turf, people bitched and moaned about it, and nothing changed (except that patent terms got longer). Expect the same this time around.

Some interesting posts on the topic

Yes, also one of the worst domain names ever :)

Just use diceware. It's got more than enough entropy and uses real words that are easy to remember.

The polish SF writer Stanislaw Lem has predicted the evolution of warfare we're observing today as far back as 1986:

The really interesting essay of the three, and the one with the greatest connection to the rest of Lem's work, is the middle one, "The Upside-Down Evolution." Lem announces that, by unspecified means, he's gotten hold of "a military history of the twenty-first century," and proceeds to describe the advent and evolution of warfare by micro- and nano-robots.

It's been some time since I read it, but I recall him having envisioned evolution of war machinery as it became more and more miniaturized and swarm-like, until it was completely impossible to know if and who was attacking who. A country was able to e.g. form giant undetectable light-focusing lens overlaid in the upper layers of the atmosphere to influence agricultural yield of another country and affect its economy without needing to resort to direct contact and observable violence.

Very interesting to see the actual 21st century technology follow the exact path predicted by Stanislaw Lem. And we're only at its beginning.

All in all, a recommended read (like many other works by Lem).

So instead of a random password your are advocating a non-random password and calling it a passphrase.

I usually don't reply to ACs, but this warranted a response.

I advocated no such thing, and you obviously haven't RTFA. While I'd rather not disclose the random number generator I use for passphrase generation, I can assure you that the passphrase generated is certainly not "non-random." There's no need to spread FUD about passphrases...this is the very reason we're in the quagmire we are when it comes to password security.

So now CMS stands for "centralized monitoring system"... but Indians are doing an amateur job here, because anything centralized is doomed to become the single point of failure.

Real (social-)Engineers knows better: don't put all your eggs in one basket. E.g. Decentralized, distributed, p2p web of surveillance in the clouds. (Grep for "Web Of Distrust" to see the relevant part.)

I use Diceware for all my obscenely long password needs

They are only talking about "characters" in a password, which is a bit dubious. The important information is how many bits long the password provides. For a discussion on this see, for example: http://world.std.com/~reinhold/dicewarefaq.html#howlong For this reason and others, I'll take their "report" with a grain

Some cautionary tales

http://world.std.com/~swmcd/steven/crypt/recruiters.html

Unless you're into burying USB sticks with PSK's in the backyard, thinking that your data is secure just because 'it's encrypted, and xyz encryption is unbreakable!' is a fallacy.

That would be a very bad idea. It's generally accepted in the US that if you write the password down somewhere and the authorities find out about it they can subpoena the writing. Failure to comply with the subpoena would result in a contempt of court citation and jail time until you complied. I would assume the same would apply with a USB stick.

It's much better to ensure that the password is only stored within your head. Using diceware you can come up with an easy to remember password that has enough entropy in it to be secure against brute force attacks.

Bill Gate's quote on the subject: "The solution to this is patent exchanges with large companies and patenting as much as we can." taken from the 1991 memo at http://www.std.com/obi/Bill.Gates/Challenges.and.Strategy

This isn't a solution, it's a self-centered kludge. A solution might have been to lobby strenuously for the abolition of software techniques or for the reform of how they are granted in the U.S.

Note also that the word "solution" (what Microsoft is in the business of selling) appears exactly twice in that memo. The other mention is about TrueType fonts - a solution developed by another company and presumably used through the grace of a patent exchange.