[Discuss] Most common (or Most important) privacy leaks

[kentborg at borg.org (Kent Borg)]

On 02/17/2015 04:03 PM, Edward Ned Harvey (blu) wrote:
> Well, writing down passwords for a little while until you memorize it 
> is good. Writing it down and keeping it around changes it from 
> something you know, to something you have. You might as well write 
> down a 256-bit random key, if you're not going to memorize it. 

Except a 256-bit random is very difficult to type. Real words are much 
easier to type.

I have many of my passwords memorized, but it isn't a fixed set. My 
memory is more of a cache. When I don't use a password for a while, I 
will refer to my list, when I have been using it, I can type it by memory.

> Only takes 11 words to have cryptographic strength of 121. Everybody 
> is capable of memorizing eleven words. 

Harder than you make it sound. I have done it. It is easy to curve-fit a 
concept through three or four random words, but it gets a lot harder 
after that. It gets easy to start substituting a synonym or different 
form for one of the words. Also, when typing blind (ie., no echo) it is 
easy to make a mistake and not know where in the sequence you made it. I 
have a quality encryption key that I type regularly, but not every day, 
and it is surprisingly hard to do. There is an optimal level or rest and 
caffeination that I don't quite know.

And speaking of encryption keys, don't confuse passwords with encryption 
keys.

A password is something you check against some oracle that can throttle 
the rate of its answers. That is why an ATM PIN of only 4-digits can 
offer good security. But an encryption key of 4-digits is worthless for 
anyone who is willing to work at it. Worthless as an encryption key but 
good as a password. The two are very different. Don't confuse them.

-kb