Week-before-last was the Usenix Security Symposium as detailed elsewhere in a proper report thingy; stuff which didn’t make it into the report included the 2.5 hour chitchat with two guys from NIST, plus myself and Steve Bellovin, making the proposition that there is no practical distinction between more secure passwords and less secure passwords; this may sound contrary to my whole philosophy, but to my mind there are: …and a division of passwords into good and bad is just an unjustifiable decimal point’s worth of extra security; if you try to subdivide passwords into “good” and “bad” then you are in an entirely subjective space, where every attempt to justify a division will be met with an inane counterargument. eg: As a conversational strawman, I said: …and the short answer was “I can’t, but neither can anyone prove that it isn’t, nor justify any other length. What about 33? 31? 24? …” A subsequent chat with Diffie led to the idea of passing the plaintext through a good compression function to establish how many bits of entropy are in the plaintext – but then you will get into arguments of which compression function to use, plus the fact that it is perfectly possible (and quite common) to create HIGH1y EN7R0piC T3XT that is guessable by something like Crack. To radically misquote Yoda: Before some cleverclogs points this out, the only reason I permit to distinguish PINs from “weak passwords” is a matter of economic necessity – too many devices out there cannot afford a QWERTY keyboard. For some reason the entire week’s social chit-chat seemed to revolve around the BBC Comedy, Coupling which has many fans in the USA, and who are dubious about the upcoming NBC version of the same. Certainly the humour is portable, as evinced by the reaction to testing the one swallow does not make a girfriend joke – the selfsame one that apparently gets cut in the American version because NBC thought that “too few people will get the joke”. What happened last week? Two days admin, one day in France buying stuff, two more days work, the latter mostly involving chasing around for Logos to use in video work. What did I do on saturday? Domestics. Laundry, sorting the stuff that I bought in France, plus getting the spare room into some semblance of order. The house is looking more and more like a B&B, which is odd given the mess I used to live in when I was an adolescent. The cats are fine – Buster is still complaining that I dug-up the concrete strip on which he used to sunbathe, but is otherwise happy. Suzi seems in perfect health – modulo the occasional mild fit – however she seems to have changed; she’s a lot more gentle and somewhat slower – physically and mentally – so I think that age is catching her up, rather faster than it is Buster. 11 years is not bad, though.
OK: Here’s a Secure Password, Minimum Length 32, Max Length 255
…and was immediately challenged with: How can you say that? How can you justify it?
Use passwords, or not use passwords. There is no “try to use better passwords”
Leave a Reply