Thomas Baekdal’s post on using passphrases (from 2007) came up again two weeks back. In that post, Baekdal maintained the following thesis (I paraphrase):
Passphrases are better than passwords, because they are easier to remember and (because they are longer) they are “mathematically” harder to crack.
A series of security articles last week pointed to his post, and it received a round of retweets, including William Gibson‘s approving retweet. The security articles that raised this article from the gloomy depths of 2007 were critiques, though, and Baekdal took the time to respond to those critiques.
Unfortunately, Baekdal is still badly misled (and misleading!) about his “mathematical” evidence regarding multiword expressions and the use of dictionaries to attack these. The short form of the problem is:
The suggestions Baekdal proposes for better passphrases are themselves information leaks: they give clever crackers more –not less — information about the structure of your secret.
I address two of these leaks after the jump:
Mirrored from Trochaisms.