[Discuss] password strength

Kent Borg kentborg at borg.org
Mon Jul 29 09:16:23 EDT 2013


On 07/29/2013 08:31 AM, Edward Ned Harvey (blu) wrote:
> There are two use cases for passwords:  online and offline.

Absolutely.  I was making the distinction between a password and en 
encryption key.  Passwords can be quite short and still quite secure.  
(ATM PINs, because of the slow and limited trials possible.)

> I want the probability of breaching my offline password safe to be on-par with ligntning strike.  1 in a million or so, over 6 months.  This requires 48 bits.

Which fits the entropy rules-of-thumb I earlier sent.  32-bits of 
entropy "stops a naive individual with a day-job" but will not stop a 
small organization trying to break your key using a bunch of GPUs in 
parallel.  Don't have any significant foes that interested in your 
data?  Then 48-bits is pretty good.

> 48 bits is reasonable to memorize, but not reasonable to demand somebody else to memorize.  For example:
>
> worse-attention-flat-madden	(4 words, 44 bits effective entropy)
> 75EF4A4990	(10 hex chars, 40 bits effective entropy)
> QgqAqLpu8y	(10 non-ambiguous chars, 58 bits effective entropy)
> 6201859243	(10 numeric chars, 33 bits effective entropy)
> WgX7jRCqrh	(10 alphanumeric chars, 59 bits effective entropy)
> kgu-150-KQJ-hnb	(9 alpha, 3 numeric, 52 bits effective entropy)

I like your examples.  (They make one of my points nicely.)

-kb




More information about the Discuss mailing list