The best easily used technique for inventing passwords is "shocking nonsense."
Passphrase FAQ
2 October 1993
'"PGP," warns Dorothy Denning, a Georgetown University professor who has worked closely with the National Security Agency, "could potentially become a widespread problem.' -- (E. Dexheimer)
Comments to: Grady Ward, 1GOTO1@gmail.com
FAQ: How do I choose a good password or phrase?
ANS: Shocking nonsense makes the most sense
With the intrinsic strength of some of the modern encryption, authentication, and message digest algorithms such as RSA, MD5, SHS and IDEA the user password or phrase is becoming more and more the focus of vulnerability.
For example, Deputy Ponder with the Los Angeles County Sheriff's Department admitted in early 1993 that both they and the FBI despaired of breaking the PGP 1.0 system except through a successful dictionary attack (trying many possible passwords or phrases from lists of probable choices and their variations) rather than "breaking" the underlying cryptographic algorithm mathematically.
The fundamental reason why attacking or trying to guess the user's password or phrase will increasingly be the focus of cryptanalysis is that the user's choice of password may represent a much simpler cryptographic key than optimal for the encryption algorithm being used. This weakness of the user's password choice provides the potential cryptanalytic wedge.
For example, suppose a user chooses the password 'david.' On the surface the entropy of this key (or the number of different equiprobable key states) appears to be five characters chosen from a set of twenty-six with replacements: 26^5 or 1.188 x 10^7. But since the user is apparently biased toward common given names, which a majority appear in lists numbering only 6,000-7,000 entries, the true entropy is undoubtedly much closer to 6.5 x 10^3, or about four orders of magnitude smaller than the raw length might suggest. (In fact this password probably possesses a much smaller entropy than even this for the very common name "david" would be one of the first names to be checked by an optimized dictionary attack program.)
In other words the "entropy" of a keyspace is not a fixed physical quantity: the cryptanalyst can exploit whole cultural biases and contexts, not just byte frequencies, digraphs, or even whole-word correlations to reduce the key space he or she is trying to explore.
To thwart this avenue of attack we would like to discover a method of selecting passwords or phrases that have at least as many bits of entropy (or "hard-to-guessness") as the entropy of the cryptographic key of the underlying algorithm being used.
To compare, DES (Data Encryption Standard) is believed to have about 54-55 bits (~4 x 10 ^16) of entropy while the IDEA algorithm is believed to have about 128 bits (~3.5 x 10^38) of entropy. The closer the entropy of the user's password or phrase is to the intrinsic entropy of the cryptographic key of the underlying algorithm being used, the more likely an attacker would need to search a substantially larger portion of the algorithm's key space in order to rediscover the key.
Unfortunately many documents suggest choosing passwords or phrases that are distinctly inferior to the latest method. For example, one white paper widely archived on the internet suggests selecting an original password by constructing an acronym from a popular song lyric or from a line of script from, for example, the SF movie "Star Wars". Both of these ideas turn out to be weak because both the entire script to Stars Wars and entire sets of song lyrics to thousands of popular songs are available on-line to everyone and, in some cases, are already embedded into "crack" dictionary attack programs (See ftp.uwp.edu).
However, the conflict between choosing an easy-to-remember key and choosing a key with a high level of entropy is not a hopeless task if we exploit mnemonic devices that have been used for a long time outside the field of c
More like an inverse relationship to ponderousness, i.e., the more gigabyte flash disks and DVD+RW I carry to my on-site tech support sites, I can deal with client issues like an underfed greyhound.
Maybe it's because the Japanese think of these innovations as means of making their lives more powerful while we dismissfully label this things with geek-ghetto terms as "gadgets," "gizmos," or "widgets," which suggest novelty and bling-bling value but not necessarily usefulness.
Cf. OED: gadget -- "c. transf. and gen. An accessory or adjunct; a knick-knack or gewgaw."
I know. I know. They call you geeks and nerds with your gadgets as a term of *affection*.
I'll wave to you with my giant foam hand on geek pride day!
Nor would I.
I am comparing *new* parts still in original shrink wrap and current production on eBay, not used.
Here is an example: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&cate gory=51076&item=5145401215&rd=1/
Obvious eBay cachet is limited compared with Apple cachet, and there may be real differences in part and build quality, wear leveling algorithmss, etc, not to mention the famous Apple fit & finish, but why reflexively dis eBay?
It will have a much lower price point than...?... other iPods?... other flash MP3 players?... other MP3 players in general?
I can get a Gigabyte Lexar flash for their MP3 player for the low $70's off of eBay. I am using a part in the same family now "Jumpdrive" and am satisfied with its quality under heavy use.
Slashdot Mirror
The best easily used technique for inventing passwords is "shocking nonsense."
Passphrase FAQ
2 October 1993
'"PGP," warns Dorothy Denning, a Georgetown University professor who has worked closely with the National Security Agency, "could potentially become a widespread problem.' -- (E. Dexheimer)
Comments to: Grady Ward, 1GOTO1@gmail.com
FAQ: How do I choose a good password or phrase? ANS: Shocking nonsense makes the most sense
With the intrinsic strength of some of the modern encryption, authentication, and message digest algorithms such as RSA, MD5, SHS and IDEA the user password or phrase is becoming more and more the focus of vulnerability.
For example, Deputy Ponder with the Los Angeles County Sheriff's Department admitted in early 1993 that both they and the FBI despaired of breaking the PGP 1.0 system except through a successful dictionary attack (trying many possible passwords or phrases from lists of probable choices and their variations) rather than "breaking" the underlying cryptographic algorithm mathematically.
The fundamental reason why attacking or trying to guess the user's password or phrase will increasingly be the focus of cryptanalysis is that the user's choice of password may represent a much simpler cryptographic key than optimal for the encryption algorithm being used. This weakness of the user's password choice provides the potential cryptanalytic wedge.
For example, suppose a user chooses the password 'david.' On the surface the entropy of this key (or the number of different equiprobable key states) appears to be five characters chosen from a set of twenty-six with replacements: 26^5 or 1.188 x 10^7. But since the user is apparently biased toward common given names, which a majority appear in lists numbering only 6,000-7,000 entries, the true entropy is undoubtedly much closer to 6.5 x 10^3, or about four orders of magnitude smaller than the raw length might suggest. (In fact this password probably possesses a much smaller entropy than even this for the very common name "david" would be one of the first names to be checked by an optimized dictionary attack program.)
In other words the "entropy" of a keyspace is not a fixed physical quantity: the cryptanalyst can exploit whole cultural biases and contexts, not just byte frequencies, digraphs, or even whole-word correlations to reduce the key space he or she is trying to explore.
To thwart this avenue of attack we would like to discover a method of selecting passwords or phrases that have at least as many bits of entropy (or "hard-to-guessness") as the entropy of the cryptographic key of the underlying algorithm being used.
To compare, DES (Data Encryption Standard) is believed to have about 54-55 bits (~4 x 10 ^16) of entropy while the IDEA algorithm is believed to have about 128 bits (~3.5 x 10^38) of entropy. The closer the entropy of the user's password or phrase is to the intrinsic entropy of the cryptographic key of the underlying algorithm being used, the more likely an attacker would need to search a substantially larger portion of the algorithm's key space in order to rediscover the key.
Unfortunately many documents suggest choosing passwords or phrases that are distinctly inferior to the latest method. For example, one white paper widely archived on the internet suggests selecting an original password by constructing an acronym from a popular song lyric or from a line of script from, for example, the SF movie "Star Wars". Both of these ideas turn out to be weak because both the entire script to Stars Wars and entire sets of song lyrics to thousands of popular songs are available on-line to everyone and, in some cases, are already embedded into "crack" dictionary attack programs (See ftp.uwp.edu).
However, the conflict between choosing an easy-to-remember key and choosing a key with a high level of entropy is not a hopeless task if we exploit mnemonic devices that have been used for a long time outside the field of c
More like an inverse relationship to ponderousness, i.e., the more gigabyte flash disks and DVD+RW I carry to my on-site tech support sites, I can deal with client issues like an underfed greyhound.
Maybe it's because the Japanese think of these innovations as means of making their lives more powerful while we dismissfully label this things with geek-ghetto terms as "gadgets," "gizmos," or "widgets," which suggest novelty and bling-bling value but not necessarily usefulness.
Cf. OED: gadget -- "c. transf. and gen. An accessory or adjunct; a knick-knack or gewgaw."
I know. I know. They call you geeks and nerds with your gadgets as a term of *affection*.
I'll wave to you with my giant foam hand on geek pride day!
retinas? No, further than that -- limbic systems and their precedent DNA.
Nor would I. I am comparing *new* parts still in original shrink wrap and current production on eBay, not used.e gory=51076&item=5145401215&rd=1/
Here is an example:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&cat
Obvious eBay cachet is limited compared with Apple cachet, and there may be real differences in part and build quality, wear leveling algorithmss, etc, not to mention the famous Apple fit & finish, but why reflexively dis eBay?
It will have a much lower price point than...? ... other iPods? ... other flash MP3 players? ... other MP3 players in general?
I can get a Gigabyte Lexar flash for their MP3 player for the low $70's off of eBay. I am using a part in the same family now "Jumpdrive" and am satisfied with its quality under heavy use.
you mean run by blacks run over by whites