Hello All, I have thought about the best way to improve memory capabilities for average users and here is an idea.
Average user is not computer security professional but rather business person who does not know all subtleties of access control technology. e-Gold system uses *passphrase* for access control which is sometimes referred to as *password* in this mailing list. Business catalogue on my site uses *passphrase* for access control but it is referred to as *password* there in order to make usage less complicated for new users. FreeBSD operating system uses *passphrase* for system login but asks user to input *password* due to Unix user interface historical traditions. It may be a good idea to make some research among e-gold users on the topic whether they know what the *passphrase* term really means or not. The result may be rather surprising for everyone. Most probably average user just does not understand important difference between *password* and *passphrase* thus user needs some explanation of these terms. This difference is both historical and technical one. Long time ago some secret which was used to grant access to something was stored as is or with some sort of internal (sometimes one-way) encryption in some database with predefined finite size place dedicated for this purpose in every account record. It was believed at those times that passwords with 8 (eight) or more characters are secure enough for most business purposes, DES (United States Data Encryption Standard which was developed by IBM and improved by NSA and then recommended for business applications) has only 56 effective bits which corresponds to about 8 (eight) random 7-bits ASCII characters. Data storage media was expensive then thus most business applications just used these believed secure least possible password sizes. If some cautious user was creating longer password then in most cases extra characters were not used at all and were just thrown away thus they did not add any extra security. Thus *password* is short sequence of characters which is hard to guess without serious automation. As the time moved on computers become more powerful and password guessing software improved also thus making it relatively easy to guess once believed secure passwords, and security people started to require their users to use complex thus hard to remember but at the same time short due to historical reasons passwords which were already not secure enough anyway. Defensive technology improved also and new methods for access control were invented. One of the improvements was the idea to use passwords of reasonably unlimited size but to keep in database only some unique finite size data corresponding to this password which will take into account all characters in this password. One of the ways to achieve this goal is to use MD5 secure hash which takes into account every character in the sequence of any size and generates 128 bits of data corresponding to this sequence, which corresponds to more than 18 (eighteen) random 7-bits ASCII characters, which itself is good enough for security but there is one nice thing for human beings also. The sequence of characters may be of any size now thus user is not required to remember some random garbage but is rather encouraged to be creative and switch on imagination. Instead of some *password* like this -- h6Vd3EYs creative user may invent some *passphrase* like this -- SeriousBusinessPeopleAreCreativeThusTheyAreAbleToRemember9SecurePassphrasesAtTheSameTime which is easy to remember and at the same time is more secure than short random garbage above. As Edwin Woudt has mentioned average English text has about 1.4 bits of entropy per every character thus in order to achieve the same level of security as allows complex and hard to remember short *password* with 56 effective bits user should invent complex but easy to remember long *passphrase* which should be more than 56 / 1.4 = 40 characters. If some user wants really secure *passphrase* then for English text it would be reasonable to make it about 128 / 1.4 = 91.4 characters of size or even some times more just to be sure. There are lots of recommendations on the Net how to invent secure but easy to remember *passphrase*, user should just ask Google about it in polite way. Short recommendations. Do not use the sample passphrase above or anything similar to it. Do not use the same or similar passphrase in different places. Do not use *any* quotations from *any* published sources, it is possible to scan entire libraries now and use them as crack dictionaries. Do not use the lines from famous songs. Do not use common sayings. Do not use personal or related information. Do not use the same pattern of characters repeated several times in one passphrase in order to make this passphrase longer. Do not use descriptions of real things or events. The questions about e-gold technology. What is the size limit for raw *passphrase* which user enters and what characters are allowed in *passphrase* and what is the number of characters in *passphrase* which are really taken into account at e-gold system for authentication purposes? Respectfully yours, Dmitry Salnikov, http://dmitry-salnikov.com/index.htm International business catalogue for e-gold users, http://dmitry-salnikov.com/veda.htm Gold Web Ring traffic maker for e-gold sites, http://o.webring.com/hub?ring=gold FreeBSD, Linux, C/C++, Perl, ... Web software development services, English / Russian translations. --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] http://www.e-gold.com/stats.html lets you observe the e-gold system's activity now!
