Rethinking the usiblity correct horse battery staple
I was a fan of XKCD 936, correct horse battery staple. I agree that passphrases are much stronger then passwords. But there's a masive usiablity concern with passphrases. Namely, entering them is a pain in the butt.
Recently I replaced one major password I use with a passphrase. Just 4 words long + a number. After days of use, I'm already sick of typing it in. Typing it in is not the issue if the frequency is low enough. No. The issue is when you have a typo and have to retype the whole thing. For instance,
sudo doesn't echo the characters nor print asterisks. It's really a guessing game to when you notice you made a typo, but unsure where. This is when I'm forced to hit Ctrl+C and start over. Or press enter and hope I get it right the next time.
I think passphrases are in a tough spot. They're too long to be easily typed in for high frequency use. But for low frequency use, I'm much better off with a password manager and a rediculously long password. The only reasonible use case I can think of is for full disk encryption. But only enough to defend against a evil maid attack. Short passphrases won't hold up against a determined attacker.
Solution? Not really. Using external USB tokens can solve the usiblity problem. But registering them against every usecase is not scalable. Think every FDE, Linux machine, SSH server, etc.. I own many (more then 5 used daily) devices as a part of my job and personal work. Register 3 tokens against each device? No thanks. I wish there was a better solution though.
For now, for most people, I recommend a password manager for online logins and other low frequency uses. For cases like sudo and disk encryption. I recommend a traditionally Ok password with a good hash if you can select it.
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict
- marty1885 \at protonmail.com
- Matrix: @clehaxze:matrix.clehaxze.tw
- Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df