2014/04/11
passwords
How many bits of secrecy does a typical person have in memory?
After thinking long and hard, I came to the conclusion that all security ends up being physical security. Currently we assume a person’s body is physically secure, with memory being the most secure part of all. Common security systems, such as passwords, try to extract as much of this secrecy out of us as possible and store it somewhere less secure like on a remote server. This is horrible. I don’t care that it’s stored in hashed form: if we only have a finite amount of secrecy to give, then once we reveal it in a form that can be brute-forced, Moore’s Law will ensure that at some point it will be brute-forced and will no longer be secret.
(Read the article)
