 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 07/29/2013 08:31 AM, Edward Ned Harvey (blu) wrote: > There are two use cases for passwords: online and offline. Absolutely. I was making the distinction between a password and en encryption key. Passwords can be quite short and still quite secure. (ATM PINs, because of the slow and limited trials possible.) > I want the probability of breaching my offline password safe to be on-par with ligntning strike. 1 in a million or so, over 6 months. This requires 48 bits. Which fits the entropy rules-of-thumb I earlier sent. 32-bits of entropy "stops a naive individual with a day-job" but will not stop a small organization trying to break your key using a bunch of GPUs in parallel. Don't have any significant foes that interested in your data? Then 48-bits is pretty good. > 48 bits is reasonable to memorize, but not reasonable to demand somebody else to memorize. For example: > > worse-attention-flat-madden (4 words, 44 bits effective entropy) > 75EF4A4990 (10 hex chars, 40 bits effective entropy) > QgqAqLpu8y (10 non-ambiguous chars, 58 bits effective entropy) > 6201859243 (10 numeric chars, 33 bits effective entropy) > WgX7jRCqrh (10 alphanumeric chars, 59 bits effective entropy) > kgu-150-KQJ-hnb (9 alpha, 3 numeric, 52 bits effective entropy) I like your examples. (They make one of my points nicely.) -kb
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
