Resolution: What password policies are the best?

As a well-known cryptographic expert, the achievement of Auster Kirk hovs is what we call the theory of cryptology in the kekehohoth principle:
The real password system should be secure even if everyone knows the operating process of the system. If security is compromised, you only need to replace the key instead of the entire system.

This is actually the second of the six principles he elaborated in his first book military cryptography. This article was published in 1883 and introduced the current situation of military encryption technology, and put forward suggestions for improving the French military password system. According to today's standards, the six principles of password design practice put forward by Auster kirhohodes seem a little outdated:

1. The system should have good availability. It cannot be unlocked unless it is mathematical.

2. The time for designing the system should not be kept confidential or balanced, resulting in a more complex communication process. (Kirk's Principles)

3. The key must be easy to remember and easy to change.

4. encrypted files should be transmitted by telegraph.

5. the device or file should be portable and easy to operate by a single user.

6. The system should be very simple to use and do not need to remember a large number of rules or put psychological pressure on users.

In fact, the cryptographic system established based on these principles can be said to be indestructible. By updating the words used, you can avoid misunderstanding that these principles only belong to a specific historical period:

1. The system should have good availability. It cannot be unlocked unless it is mathematical. Because it may be cracked, the system should be replaceable.

Strictly speaking, the second sentence is not necessary, but it can help to highlight the viewpoint. In practice, security technology is not always static. It must be a leader in the "Competition" with the cracker.

2. The time for designing the system should not be kept confidential or balanced, resulting in a more complex communication process.

You may notice that this principle does not actually need to be updated to ensure the relevance of its basic thinking or the actual connection. This may also be one of the reasons why it has become a highly valued and well-known ideological theory, especially in the field of encryption and security policy. Another important point is that the use of the system (as long as it is not designed to the system) does not fall into the scope of system design. Therefore, this principle is not necessarily applied.

3. The necessary conditions for using the system are that the instructions should be very simple and easy to change.

For most users, the actual keys used to encrypt the system must be easily remembered and changed. The key factor for the actual key is that private keys of systems such as OpenPGP should contain necessary parts for effective protection, prevent interception, speculation, or unauthorized cracking.

4. the encryption system should support General to advanced communication technologies and support new communication methods including stenographer communication. In order to focus on specific purposes, the dedicated encryption system can limit the means of transmission, but should not be limited at all times.

In that historical period, telegraph was neither an advanced nor an ordinary communication method. The true purpose of these arguments was to ensure the practicality of the encryption system for military purposes. Therefore, we should not focus on the changes in the current environment, but on the selection of different communication methods based on the actual situation.

5. the device or file should be portable for the convenience of single-user operations, and should be used normally under unpredictable circumstances.

From a practical point of view, it is unreasonable to rely on a general encryption system to ensure the security of all users. In the era of human network, passwords can only be opened through devices, such security is sufficient. But the times have changed and will continue to change. If the encryption system still assumes that the actual situation is restricted, the encryption system will not be able to withstand the test of time.

6. The system should be very simple to use and do not need to remember a large number of rules or put psychological pressure on users.

In addition to adding the word "use" to determine what users should do and what encryption system tools should handle, there is nothing to change. In the practice of the encryption system, we should note this point, that is, the parts used by users should not be too complex, and a large number of files will cause frequent problems during use. Basic skills, good habits, and knowledge of encryption system keys should be all the knowledge and skills needed to use the system.

The most widely used encryption systems in the world are basically in line with these principles, although many of them seem longer or more restrictive. When you select a new encryption system, you should follow these principles to confirm whether it meets the actual needs from the current to the future.