On Tue, 2019-06-25 at 03:00 +0200, Emil Lundberg wrote:
On Tue, 25 Jun 2019, 01:14 Ralf Mardorf via arch-general, email@example.com wrote:
You want to make the packages available for general use. Does general use require behavioral biometric verification and spring guns?
Black hats are able to hack Google and Facebook, what ever you will do, you never ever will be able to reach the level of security those and the other most successful computer related companies are able to accomplish.
IMO an averaged "strong" but still memorizable passphrase, even when following obsolet rules, is ok.
I think the fact that it's not possible to be perfectly safe is not a
good reason to not earnestly consider what you _can_ do to try to protect yourself. Of course you won't stand a chance if a nation-state is determined to get you, but that doesn't mean you should just give up and wing it, because the most relevant threats are probably much less capable in most cases. It's still a good idea to try to quantify one's threat model and what it would take to protect yourself, and then make a (somewhat) educated decision on how much effort one is willing to spend on it.
If I leave my home, I don't leave the apartment door wide open. I lock up the door. The door is locked by a pin tumbler. Everybody knows that professional thief are able to open the door without any great effort, while averaged people need a lockout services to open the door, if they have lost the key. There could be reasons to lock the door in a more secure way, but a pin tumbler for good reasons, is still the most used way to lock apartment doors.
Just my experiences:
I remember 2 passphrases around 10 random chars. However, I had written down the passphrases and kept the paper for a long time and now I'm using those passphrases on a regular basis. I do not rotate those passphrases.
For things that are unimportant to me, I'm using very weak passphrases and if I don't use them often enough, I even forget some of the weak passphrases. A word and 4 random chars already could be to hard to remember, when seldom used.
Passphrase rotation for a single passphrase containing 16 to 20 random chars would be to much effort for me.
That's just me. Or isn't it just me?
Actually biometric verification is much used nowadays, but there are different levels of biometric verification, some biometric verification methods are not as safe as people guess.
Actually my bank offers me to chose a 4 number PIN, because averaged people often forget even 4 random numbers. I'm from the analog landline generation, we were able to remember several 6 numbers long telephone numbers of or friends, because we were used to do it. For people who aren't used to do it, because it's not needed anymore to remember even a single telephone number, it's getting harder to remember contextless random chars. They do not develop this skill, but they develop other skills instead.
In a nutshell. I guess for most people it's possible to remember one 16 to 20 chars random passphrase, if it is often used. I doubt that a lot of people remember 16 to 20 chars, if they rotate the passphrase that often as recommended. Humans get older, humans get a cold etc. pp., they need to remember that passphrase even if they should be temporarily in a bad state.
Some computer freaks are out of touch with reality.
Even if we learn passphrases that fullfil today's security recommendations. In how many years do we need to learn passphrases that are 2 times, 3 times or 4 times that long? In 5 years?
It's not realistic to assume that the majority of people is able to follow. All of us have got a limit to remember a lot of context-free random chars. There is an easy to learn mnemonic to remember random words of objects. By painting a picture in one's mind's eye containing all the objects, almost all people will remember those words. However, "painting" such a picture is time consuming and not as easy as it sounds. There is already a learning-curve to learn how to use this mnemonic.