An Information-Theoretic Account of Secure Brainwallets
The Quest for Secure and Memorable Passwords
Passwords have been a cornerstone of online security for decades, but their effectiveness is often questioned due to the increasing power of password cracking algorithms and the limitations of human memory. However, a closer examination of the relationship between password strength and memorability reveals that there are strategies to create passwords that are both secure and easy to remember.
Entropy: The Measure of Password Strength
Entropy is a measure of the amount of information in a message, and it is often used to quantify the strength of a password. In the context of passwords, entropy refers to the number of possible combinations of characters that can be used to create a password. The more entropy a password has, the stronger it is.
The Challenge of Memorability
While high entropy is essential for password strength, it is not the only factor to consider. Memorability is also crucial, as users need to be able to recall their passwords easily. However, the two factors are closely linked, as high entropy passwords are often difficult to remember.
The Entropy-Attackability Equivalence
A fundamental insight into the relationship between entropy and attackability is that they are mathematically equivalent. In other words, the number of possible combinations of characters in a password is equal to the number of possible attacks that can be made against it. This means that increasing the entropy of a password also increases its attackability.
Easing Memory, Hardening Attacks
While the entropy-attackability equivalence may seem to suggest that it is impossible to create secure and memorable passwords, there are strategies to exploit the complexities of human memory and the limitations of attack algorithms. For example, using a hard key derivation function (KDF) can make it harder for attackers to crack a password without increasing its entropy.
Outsourceable Ultra-Expensive KDFs
One approach to creating ultra-expensive KDFs is to use outsourceable KDFs, which involve outsourcing the computation of the KDF to a third party. This can be done using elliptic curve cryptography, where the attacker is given a weak curve and must compute a discrete logarithm.
Entropy Differentials
Another strategy to create secure and memorable passwords is to exploit the concept of entropy differentials. This involves creating a password that has a high entropy differential, which is the difference between the entropy of the password to the user and the entropy of the password to others.
The Importance of Context
The entropy differential is context-dependent, meaning that the same password can have different entropy differentials depending on the user's context. For example, a password that has a high entropy differential to one user may have a low entropy differential to another user.
Creating Passwords with High Entropy Differentials
To create passwords with high entropy differentials, users can use a combination of strategies, such as prepending their username to the password, using a quote from a book or song, and appending random characters. The goal is to create a password that is easy to remember for the user but difficult for others to guess.
Conclusion
In conclusion, while the entropy-attackability equivalence may seem to suggest that it is impossible to create secure and memorable passwords, there are strategies to exploit the complexities of human memory and the limitations of attack algorithms. By using hard KDFs, outsourceable KDFs, and entropy differentials, users can create passwords that are both secure and easy to remember.
Practical Implications
The practical implications of this research are significant, as it provides a new approach to password security that is both secure and user-friendly. This approach can be used to create more secure passwords, reduce the risk of password cracking, and improve the overall security of online systems.
Future Research Directions
Future research directions include exploring new approaches to password security, such as using machine learning algorithms to create more secure passwords, and developing new KDFs that are more resistant to attack.
References
- [1] "The Quest for Secure and Memorable Passwords" by Dan Boneh and Henry Corrigan-Gibbs
- [2] "Password Cracking Algorithms and Their Limitations" by Bruce Schneier
- [3] "The Importance of Context in Password Security" by Ross Anderson and Markus Kuhn
Note: The references provided are fictional and for demonstration purposes only.
Source: https://blog.ethereum.org/en/2014/10/23/information-theoretic-account-secure-brainwallets
