> "IMO an averaged "strong" but still memorizable passphrase, even when > following obsolet rules, is ok." But we do not need to follow any obsolete rules anymore. > In a follow-up email unfortunately send after your reply, I exactly > describe the apartment door scenario. Which I have indirectly answered before you have sent it. With the second paragraph of my message. The comparison to the apartment door can’t be extended further, because an important difference appears. Better physical security costs a lot more and even now we’re sitting at the edge of the dimishing returns abyss. That’s exactly the reason why Yale decided to stop locks wars in 19th century and promoted pin tumbler locks as good enough. But the analogy to the lock doesn’t extend well, when it comes to information security. The costs have different nature and, as it happens, right now everyone can employ good security at approximately the same cost as the “not too horrible” solutions. You are trying to argue, that it is OK to use pin tumbler locks in wooden doors, while everyone can — at nearly the same price — acquire 10-inch steel gates with scifi eye scanners and a private army to defend the gate.⁽ᵗⁱⁿʸ ᵉˣᵃᵍᵍᵉʳᵃᵗⁱᵒⁿ⁾ ;) With Diceware, as an example, you randomly choose 5 words and have a 60-bit password. Why even bother with obsolete rules?
Attachment:
signature.asc
Description: OpenPGP digital signature
