Even though I like thinking about how systems can be made more secure and even how we could potentially take out the human-factor out of authentication, I feel that you contradict your own thesis a bit when you first say "there is always the rubber hose technique to beat the password out of you", followed by "but here's the ultra paranoid password technique!", posing at as a possible solution, leaving me thinking "but if I'm being beaten with a rubber hose, I'll GLADLY fill in my ultra paranoid password for you a thousand times!".
Plus, in your example, it says "$passLength = 30", does that mean I will have to remember a 30-character long set of numbers? Not sure how secure that is; what if I forget it? ;)
All in all I think the philosophy is great, but that this might be a technique that - reading this article - might be something suited mostly for those with enough IT knowledge and paranoia to go through "extreme(r)" measures for protecting their data, that will always be crackable anyways using a rubber hose technique.
Dave Smith - 2015-11-04 08:18:37 - In reply to message 1 from Stephan
It isn't my thesis, but here is how I see the rubber hose issue...
We are talking about a passcode that you do not know, it is part of muscle memory, so you can only perform it. Once you have been beaten with a rubber hose, your performance will likely suffer enough that you won't be able to give it up. Even when threatened, performance decreases, so unless you are cool under pressure, they still can't get it, in theory anyway.
You don't remember a 30 character long string of key-presses, you train your muscles to perform them without thinking. You don't know it, so there is nothing to forget.
I agree that it isn't really practical right now, but what if in the future you are given a passcode as an infant and it becomes your permanent identifier for the rest of your life?
Anyway, the whole idea was that I found the concept interesting, and if you ever take a look at the packages I submit, they are an eclectic mix :)