@TheGibson What I'd really like to see is, say, lifetime or century-crack length over time.

That is, for a given year, what is the shortest password that can withstand likely crack attempts for 100 years.

Or perhaps ranked against budget: cracking for $0.01/key, $0.10, $1, $10, $100, $1,000, $1,000,0000, $billion, etc.

The cracking-rate progress and budget aspects of this are seriously underappreciated. Hell, I don't know these.

@dredmorbius @thegibson I think Bitcoin has proven the economy for this is a hell of a lot cheaper than people think. (Which is why I think the estimates in the chart above are woefully naive as they assume a single attacker and a one pw at a time attack.)

The amount of distributed compute power people are throwing around at cryptocoins for no budget but for imaginary profit is extraordinary. No human password survives ~100-days much less 100 years against cryptocurrency "mining".

@dredmorbius @thegibson Passwords that humans type in, much less are expected to "know" are dead as of like three years *ago*, it's just going to take years for people to understand the implications of that.

@abbienormal

I would have suggested that fifteen years ago, but now I’m not so certain about that either. I don’t think they are very humane in just pairs. Keybase got close to something but I don’t think they cracked the mainstream UX.

I’m slowly, fwliw, growing the opinion we need something *slow*. Involving things like post offices and notaries public, handshakes and stamps. Human time scales. Don’t know the “hows” exactly though.

@dredmorbius @thegibson

@abbienormal @dredmorbius @thegibson What little I know/picture of the “hows” is that it may have to get *weird* to be generally useful. Like pulling out weird ideas from fantasy novels weird as the only UX that “makes sense” to the average person.

“Sorry, I can’t log in to Gmail until I visit my local Apple Enchanter to re-enchant the magic runes back into my iPhone. Yeah it’s dumb I have to find a day to take these rune stones and my driver’s license over, but I like my phone soulbound.”

@abbienormal One possibility is that digital infotech is fundamentally incompatible with strong and reliable identity determination and/or assertion.

Another is that some mix of identifiers, including passphrases, but also other factors: observed behaviour, third-party attestations, physical tokens ( is one I'm partial to). Maaaaaybe biometrics, though I really don't like them. All of which require robust and efficient, though black-hat resistant, issuing and recovery procedures.

Eliminating needless (or harmful) authentication absolutely as well.

@max @TheGibson

@dredmorbius @abbienormal @thegibson I think “needless” authentication gets overlooked a lot. Too many websites want logins for stupid things like identifier tokens or marketing email collection. The subversion of the dream of the original OG OpenID into walled identity gardens didn’t help and while there is still maybe some hope for web platform tools like Webauthn and Web Payments, but not a lot (where’s Webemailaddr?). I still wish BrowserID hadn’t been eaten/starved to death by Firefox OS.

@max In meatspace there's a great deal of, for want of a better term, transient identity.

That might be token-based --- "take a number" at a deli or other service counter. It may be predicated simply by material presence in time and space --- standing in a queue, answering a door, visiting an office. Being "that guy at the gym" or "that girl at the club". Role-based identities --- museum docent, parks guide, bus driver.

For most of those involved, there's no reason to necessarily establish a longer continuity.

For transactional situations, distinguishing cash vs credit payment also makes a difference --- cash largely closes the book on a transaction, credit does not (absent returns and exchanges).

Online, these nuances are all but entirely lost.

@abbienormal @TheGibson

Sign in to participate in the conversation
Toot.Cat

On the internet, everyone knows you're a cat — and that's totally okay.