[arch-general] How long do you make the passphrase for the private key?

Tue Jun 25 08:58:17 UTC 2019

On Tue, 2019-06-25 at 03:00 +0200, Emil Lundberg wrote:
> On Tue, 25 Jun 2019, 01:14 Ralf Mardorf via arch-general, <arch-general at archlinux.org> wrote:
> > You want to make the packages available for general use. Does general
> > use require behavioral biometric verification and spring guns?
> > 
> > Black hats are able to hack Google and Facebook, what ever you
> > will do, you never ever will be able to reach the level of security
> > those and the other most successful computer related companies are able
> > to accomplish.
> > 
> > IMO an averaged "strong" but still memorizable passphrase, even when
> > following obsolet rules, is ok.
I think the fact that it's not possible to be perfectly safe is not a
> good reason to not earnestly consider what you _can_ do to try to
> protect yourself. Of course you won't stand a chance if a nation-state 
> is determined to get you, but that doesn't mean you should just give
> up and wing it, because the most relevant threats are probably much
> less capable in most cases. It's still a good idea to try to quantify
> one's threat model and what it would take to protect yourself, and
> then make a (somewhat) educated decision on how much effort one is
> willing to spend on it.

If I leave my home, I don't leave the apartment door wide open. I lock
up the door. The door is locked by a pin tumbler. Everybody knows that
professional thief are able to open the door without any great effort,
while averaged people need a lockout services to open the door, if they
have lost the key. There could be reasons to lock the door in a more
secure way, but a pin tumbler for good reasons, is still the most used
way to lock apartment doors.

Just my experiences:

I remember 2 passphrases around 10 random chars. However, I had written
down the passphrases and kept the paper for a long time and now I'm
using those passphrases on a regular basis. I do not rotate those
passphrases.

For things that are unimportant to me, I'm using very weak passphrases
and if I don't use them often enough, I even forget some of the weak
passphrases. A word and 4 random chars already could be to hard to
remember, when seldom used.

Passphrase rotation for a single passphrase containing 16 to 20 random
chars would be to much effort for me.

That's just me. Or isn't it just me?

Actually biometric verification is much used nowadays, but there are
different levels of biometric verification, some biometric verification
methods are not as safe as people guess.

Actually my bank offers me to chose a 4 number PIN, because averaged
people often forget even 4 random numbers. I'm from the analog landline
generation, we were able to remember several 6 numbers long telephone
numbers of or friends, because we were used to do it. For people who
aren't used to do it, because it's not needed anymore to remember even a
single telephone number, it's getting harder to remember contextless
random chars. They do not develop this skill, but they develop other
skills instead.

In a nutshell. I guess for most people it's possible to remember one 16
to 20 chars random passphrase, if it is often used. I doubt that a lot
of people remember 16 to 20 chars, if they rotate the passphrase that
often as recommended. Humans get older, humans get a cold etc. pp., they
need to remember that passphrase even if they should be temporarily in a
bad state.

Some computer freaks are out of touch with reality.

Even if we learn passphrases that fullfil today's security
recommendations. In how many years do we need to learn passphrases that
are 2 times, 3 times or 4 times that long? In 5 years?

It's not realistic to assume that the majority of people is able to
follow. All of us have got a limit to remember a lot of context-free
random chars. There is an easy to learn mnemonic to remember random
words of objects. By painting a picture in one's mind's eye containing
all the objects, almost all people will remember those words. However,
"painting" such a picture is time consuming and not as easy as it
sounds. There is already a learning-curve to learn how to use this
mnemonic.