May Contain Blueberries

the sometimes journal of Jeremy Beker

This is what happens when I read books that cover security. I just finished reading Bruce Schneier and Niels Ferguson’s book, Practical Cryptography and it was wonderful. It had sections that made my brain hurt (group theory, argh) but the concepts presented were very important. It made me reconsider many of the technologies I had helped to develop at 3GI (and made me realize that much we had done was purely to fool the ignorant, not provide real security). The result that often happens when I read books that make me think about security is that I realize the mistakes I make in my own security precautions. So I have been going on a small campaign to secure my credentials better.

Passwords are a hard one. According to the book (and other literature I have read) the English language provides about 2 bits of entropy per letter. This is not so good, especially when you are using an 8 character password (which is about the best anyone can remember). What this means is that you may have a nice huge 1024 bit RSA key, but if it is protected by an 8 character password, guess which is the weak point someone might try to exploit?

The alternative (on systems which support it) is to use a phrase or sentence that you come up with. It takes longer to type, but you get a much more secure system.

So I have replaced my pidly password on the high security items with 30-40 character passphrases.

At least my typing will have to improve.