Password-Based Protocols

Cryptographic authentication relies on possession of a key by the party to be authenticated. Such a key is usually chosen randomly within its domain and can be of lengths from around 100 bits up to many thousands of bits, depending on the algorithm used and security level desired. Experience has shown [109, 333] that humans find it difficult to remember secrets in the form of passwords of even seven or eight characters. But if all upper and lower case letters are used together with the digits 0 to 9 then a random eight-character password represents less than 48 bits of randomness. Therefore we can conclude that even short random keys for cryptographic algorithms cannot be reliably remembered by humans. Another way to express this is that it can be assumed that a computer is able to search through all possible passwords in a short time.