[Discuss] deadmanish login?

[kentborg at borg.org (Kent Borg)]

On 02/03/2017 12:40 PM, Richard Pieri wrote:
> On 2/3/2017 8:47 AM, Kent Borg wrote:
>> I'll change it to 12-honey-denver-doctor then!
>>
>> No one will even guess that.
> A dedicated Hashcat rig can "guess" it within 5 minutes.

You are confusing (1) a password used as a password, and (2) a 
passphrase used for an encryption key. They are completely different.

  1. A password with 32-bits of entropy is quite good: because there are 
limits to how fast any computer system will accept password attempts.

  2. An encryption passphrase with anything much less than ~100-bits of 
entropy is weak: because there is no hard limit on how fast an attacker 
might try to crack it (buy more hardware, work in parallel).

> Take a 2K word list. There are about 8 billion (2^33) possible
> combinations of 3 words from this list. Add the 2 character prefixes and
> you approach 2^40 possible combinations. Sounds like a lot but it's
> still fewer than the entire DES keyspace (2^56). How random your
> sequences are doesn't matter when the set of all possible sequences is
> so weak.

And none (none!) of that applies to a password, used as a password, and 
not recycled between different systems. You are talking about encryption 
key passphrases, and your logic is sound in that case.

You are a proponent of ssh keys, right? And you encrypt yours, right? 
And you use a passphrase...that has how much entropy? I bet less than 
100-bits of entropy, because typing good passphrases is really hard. I 
further bet that your key sits unencrypted much of the time because you 
are too lazy to type even your poor passphrase every time you would have 
to. Good passphrase hygiene is hard, much harder than good password hygiene.

Compared to a decent password (that isn't shared between systems*) ssh 
keys solve a problem that doesn't exist, yet they create additional 
problems that you ignore.

-kb

* On not recycling passwords: Everyone does it, I assume you do, too. So 
if someone cracks into one system, yes they might crack into other 
systems sharing that password. Well, it is unfair to blame your secret 
password for the fact that you have been handing out copies of a 
password you should have been keeping secret. The fix for this problem 
is keep your password secret and not to recycle it between systems.