I guess we disagree. There are billions of web pages on the Internet so not only could the quote be from a book but it could be from any text from anywhere and of any length.
On the other hand people aren’t very good at making up or remembering random character passwords so not only do you have the same problem of poor password choice but the additional problem of being unable to remember it.
You could take a quote from anywhere if you think there aren’t enough books in your house and it is unlikely anyone will be able to figure out which quote out of all possible permutations and patterns. Even if you took a popular line from a movie it is impossible to figure out which movie it was, what year, etc.
You could develop a password cracker but it wouldn’t be able to know whether it’s a quote from a movie, a book, which movie, which line in the movie, or anything like that.
And you don’t have to use a complete sentence. YOUCANSAYITLIKETHIS or YOU CAN SAY IT LIKE THIS and it would make a big difference to the password cracker as well. The point is it’s just as important for the password to be easy to remember as it is for it to be difficult to guess because if the individual forgets their password everything is lost on SAFE Network. There is no password recovery built in as far as I know.
Luckybit, any human decision making is entropically compromised.
Take propinquity, availability heuristics, apophenia, pareidolia, conformity, priming, etc…
It is an illusion if you think your decisions are unique, and this is not a bug, but a feature for the human race. We are evolutionary designed to NOT be random, and we are cognitivitely incapable of even perceiving randomness. We are highly influenceable, even subconsciously, through society and previous experiences.
You can set all your ideal scenarios of book based password generation, but it is as cumbersome and unrealistic as your unique skill of memorizing random arbitrary characters, the common people won’t execute it in your ideal form.
The underlying psychological mechanisms will make it fail for the common man. The roulette wheel is crooked.
And any password generator which isn’t a true random number generator is deterministic. That would mean pseudo-random number generated passwords are all poor right?
At the same time a true random number generator isn’t something most people are going to have. That doesn’t mean a random book couldn’t be selected by a person and then a random phrase in that book also selected.
I think you just lack creativity here. You’re saying because most people don’t know how to choose a phrase at random from a book that most passwords would be weak. I’m saying it’s easier to choose a random phrase from a book than to come up with a bunch of random characters. And if you’re saying a person must have hardware entropy to come up with the random characters of course I would agree that would be better but I would also be able to say the same hardware entropy device could come up with or choose a random quote from some ebooks they put into the search space and it would be just as secure.
The point is that it has to be easy to memorize and high entropy to be useful as a brain wallet. Random characters can have high entropy but be impossible to memorize which is a problem, and also because there isn’t anything in the real world to connect back to if they forget their password there is no possibility of recovery which is an even bigger problem.
So you have to take into account password recover not just password strength, you have to take convenience into account, and you have to take into account that most people probably wont have hardware entropy devices to select their quotes from and will have to do it either themselves or use whatever is built into their computer to generate the random characters.
I would say a person is no better off or worse off if they use quotes from text they remember than if they use whatever they have built into their computer. The exceptions would be that of course if you have a hardware generator that isn’t built into the computer such as a USB entropy key or a Trezor like device then that would be superior but even they come up with random words, and nothing would stop them from coming up with memorable quotes (which they should do because it’s easier to remember than words anyway).
Whether the quotes come from books or are randomly generated is irrelevant. There is enough entropy either way to secure the data if you look at the math of it. It’s just that you want it to be an entirely automated process because some humans might choose something really stupid as their quote but even in that case it’s extremely unlikely that anyone could just guess or brute force the quote without checking all possible quotes in all languages which is computationally unfeasible right now.
Finding a random quote out of all possible permutations in all possible languages is computationally unfeasible. And if you or anyone thinks otherwise then I challenge you to crack something which uses a long 20 or 30 word quote as the encryption key.
And here is an example of a password I just created to prove a point: THISPASSWORDCANNOTBECRACKEDBECAUSEITHASTOOMUCHENTROPYANDIS520bits
It is a simple quote, it’s impossible to crack using any computational methods because it would be unfeasible to guess that but super easy to remember it. Check the password strength, check the math, and you could see it’s impossible to crack a 520bit password.
I think you’re not getting the point. The point which is this: “Security at the expense of usability comes at the expense of security.”
None of your solutions provide usability. If there is no usability then people will forget their passwords AND choose bad passwords. With usability people might choose bad passwords but they wont forget them.
So in theory you could choose a password which perhaps isn’t long enough in terms of a quote and that would be bad because the entropy would not be enough. At the same time if you choose a long enough quote then the entropy is enough and it becomes both secure and easy for a person to remember.
What happens when a password is hard for a person to remember? it’s either forgotten or it’s written down. Then it’s no longer secure once it’s forgotten or written down. Some rare people might be able to remember 30 random characters but more people can remember a quote.
My method implemented poorly doesn’t compromise security, that’s why it is about describing random shit in our life events. Random shit -that happened- is always easy to remember because our brain is designed to remember novel and weirds events as a evolutionary strategy for survival, that’s also the very foundation of mnemonics.
Your method implemented poorly falls into the same problems of single passwords, in fact it is almost certain that it will be implemented poorly by the common people selecting popular books and popular quotes.
I studied people for a living so I think I know a few things about social sciences.
BTW, I also have experience with the practical aspects of cracking passwords in real world.
If you never cracked a password database, I’ll tell you that there are several patterns of people who: don’t know about secure password, and also, predictable patterns of people who think they know about secure passwords, and finally there is also a distinct pattern of those who really know how to make secure passwords.
Doesn’t matter how clever you think you are, if it is user generated and it is based on human decisions, it will always leave a pattern that allows cracking of seemingly high entropic password.
This is fine, we are free to disagree. But the mathematics don’t lie and I put it forward so anyone can check what I have to say.
You’re focused on the psychology and social science part but social engineers are a different problem. The point is that there is a risk of forgetting your password with your method which means all your files on SAFE Network are lost forever and to a lot of people that is a greater risk than the risk of getting cracked.
So, are their burn addresses, in the way that there are for blockchains?.. those are public keys for which there is no private key. I wonder that could act as a /dev/null for those who did want their data effectively or provably destroyed. Obviously, the data doesn’t disappear at technical level but if no-one can access it, is that essentially a deletion??
I suppose a new passport is created with the same keys in it but then using the new credentials? Is it still possible to login with the old credentials to receive your old passport that also still has the keys?
No this will wipe out your previous session data with a new session. I feel this is right as you may be changing passwords for good reason. Your old account gets dropped.
How does that work? Username and PIN will provide a hash, say “GjhgBkjhMkjjkMHFGgfujgkJHLJHjhjhBnbnBMhjfg”. That hash is the name of my personal file, which is stored in the network in 3 chunks.
To open/unlock my personal file, I need my password. So what happens when I change password? A new personal file has to be created than? And what happens when my computer crashes while I’m just changing my password? Is there some sort of disaster-protection?
This is all in the self_auth paper. It does not create a file but a pointer to potential files. When you change credentials then a new pointer is create and old one deleted. So all trace is gone when new data is on line. Your old data is not gone unless you have the new data. So there is an implicit read after write check before old account is gone.
