length of pw
in [Cryptography]
|
Prev: Call for papers: ISP-10, Orlando, USA, July 2010
Next: Question about polymorphic encryption used by some company
From: Paul Rubin on 22 Feb 2010 14:01 bmearns <mearns.b(a)gmail.com> writes: > I'm pretty sure diceware was created either by someone who has little > or no experience in cryptography, or someone who wants to make it > easier to break into people's accounts and systems. It's a dictionary > attack waiting to happen. He even provides the dictionary! Diceware is very well thought out. You should read about it. The idea is you use several words, not just one, so dictionary attacks are infeasible. The docs do a good job quantifying this.
From: bmearns on 22 Feb 2010 14:46 On Feb 22, 2:01 pm, Paul Rubin <no.em...(a)nospam.invalid> wrote: > bmearns <mearn...(a)gmail.com> writes: > > I'm pretty sure diceware was created either by someone who has little > > or no experience in cryptography, or someone who wants to make it > > easier to break into people's accounts and systems. It's a dictionary > > attack waiting to happen. He even provides the dictionary! > > Diceware is very well thought out. You should read about it. The > idea is you use several words, not just one, so dictionary attacks > are infeasible. The docs do a good job quantifying this. You're right, I did not give it nearly enough credit. After crunching the numbers it is significantly stronger than I gave it credit for, if a sufficient number of words are used. The recommended 7 words would indeed be infeasible to attack. As a quick illustration, though, there's 7776 words on the list (5 dice: 6^5), if you only pick three, that's 470 billion possible passphrases: only about 70 times harder than the original poster's 5 character password. It would probably take a few to several weeks for a script kiddie to crack that, but they could certainly do it, and a slightly more resourceful adversary could crack it quite a bit faster. Choosing the recommended 7 words is 3 quadrillion times harder than that, so it should be safe for most practical purposes. Thanks for correcting me. -Brian
From: rossum on 22 Feb 2010 14:56 On Mon, 22 Feb 2010 09:15:36 -0800 (PST), Gomar <romphotog(a)gmail.com> wrote: >Great! However, how anyone could memorize a random 10 character >password is a mystery to me. Diceware: http://world.std.com/~reinhold/diceware.html rossum
From: Gomar on 23 Feb 2010 19:31 On Feb 23, 9:42 am, bmearns <mearn...(a)gmail.com> wrote: > > If you want to use 5 character passwords because you think they're > plenty strong enough, then by all means go right ahead, you're only > hurting yourself. using A-Z, a-z, 0-9 1 character pw has 62 possible combinations, and should take 5secs to crack; 2 - 3906 - 6m (trial run 1m) 3 - 242234 - 7h10m 4 - 15018570 - 20days 5 - 931151402 - 3 years, 7 months beyond 5, number of combinations get ridiculous, much higher than the age of the universe. Thus, what's the point of above a 4 character pw and 128bit encryption? From Winzip's help file: "In fact, taking maximum advantage of the full strength of AES encryption requires a password of approximately 32 characters for 128-bit encryption and 64 characters for 256-bit encryption." Thus, using an 8 character pw you get 32-bit encryption, 16 - 64-bit encryption. Certainly, no one can memorize 32 random characters, if using caps, symbols, spaces, etc. > I see you have a gmail account...interesting. pardon, sire, as do you.
From: Greg Rose on 23 Feb 2010 21:18
In article <64539c20-b13e-4f39-949d-7170435cdb54(a)n3g2000vbl.googlegroups.com>, Gomar <romphotog(a)gmail.com> wrote: >using A-Z, a-z, 0-9 >1 character pw has 62 possible combinations, and should take 5secs to >crack; >2 - 3906 - 6m (trial run 1m) >3 - 242234 - 7h10m >4 - 15018570 - 20days >5 - 931151402 - 3 years, 7 months > >beyond 5, number of combinations get ridiculous, much higher >than the age of the universe. No, actually, it goes up by a factor of 62 for each character, so 6 is about 183 years. Not exactly the age of the universe. Also, that's the time it takes *one* computer to check for the password. What if I have access to the file (say an encrypted ZIP file or access to the password file), and I point 1000 computers at the job? Your 5 character password only lasts about a day. Greg. -- Greg Rose 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C |