> "This is an answer to the batteryhorsestaple thing."
Steube misunderstands the xkcd comic [1]. There's a really good comment which explains it: "It could be argued that Randall's example of 4 words is too short -- and indeed, for some applications, it is. However for a typical dictionary size, and genuinely random selection, it is massively stronger than "typical" passwords and in fact easily adequte to defeat the above-mentioned attacks." [2]
Emphasis on "genuinely random selection."
[2] http://www.schneier.com/blog/archives/2013/06/a_really_good_...
'Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."'
If you won't ever find "gonefishing1125" using brute force, how on earth did they find "qeadzcwrstxv1331"?
Passwords are broken and I really wish we would all move away from them. Persona is a nice idea with regards to privacy and control, but it's still a password that you need to remember, which can be cracked. Also, people generally don't use strong passwords.
What irks me is that every OS in use today has support for strong cryptography and browser vendors could easily integrate that. We would no longer register for a website, we would simply upload our "Online Identity" or whatever we called it. This of course is just an id_rsa.pub with maybe name and email in the comment. The remote site stores the public key and the browser authenticates using the private key, stored securely in the keychain.
This has the potential to be invisible to users, and thus used by default, and highly secure since the local keychain can generate incredibly strong keys, all behind the scenes.
I like schemes that have an explicit input of n random bits (or where you can at least have a good estimate on the entropy.) With the Schneier Scheme I can not be sure of the actual entropy of my password. Maybe my brain only generates a relatively small set of sentences which can be reverse-engineered from my comments on HN? :-)
A good algorithm would take n bits and map them uniquely to a set of strings that are easy to remember for a human. The apg utility does something like that.
Why not force the user to have strong login credentials?
I'm creating an online system that will store users' sensitive financial data. When setting up an account, the user will have to choose a password as normal, but will also be given a passphrase of the form "correct horse battery staple" that they must write down. To log in, the user will need to enter (a) username; (b) password; and (c) passphrase.
It is effectively a poor man's two-factor authentication - the second factor being the piece of paper containing the passphrase. I think it strikes a good balance between security, convenience and cost.
What do others think of this approach?
People seem to forget this important fact - That hashes get leaked. Without a hash corresponding to a user account it's quite hard to break in to a given account with a moderately reasonable password, even if the hash can be 'broken' in milliseconds.
One benefit of being a indian language speaker (or other language not in hackers dictionary) is we can easily choose reasonably secure passwords that are remember-able by simply using native language phrases (combined with numbers and mixed caps)
The Ars article seemed totally irrelevant to me since it used MD5?
I don't understand the difference between "momof3g8kids" and "tlpWENT2m". Why would the latter be more secure?
Passwords should be a thing of the past. It gives the users an illusion of security.
Remember, security against cracking is a combination of password strength and key derivation function strength. Nothing will save you if your password is "password". Not much will save you if your password is hashed with MD5.
But scrypt can be over 100,000,000 time stronger than MD5 -- so if you're using scrypt you can afford to use a password which is 100,000,000 times weaker. "jdtwbv" hashed using scrypt is stronger than "H.*W8Jz&r3" hashed using MD5.