[Discuss] password strength
Kent Borg
kentborg at borg.org
Mon Jul 29 09:16:23 EDT 2013
On 07/29/2013 08:31 AM, Edward Ned Harvey (blu) wrote:
> There are two use cases for passwords: online and offline.
Absolutely. I was making the distinction between a password and en
encryption key. Passwords can be quite short and still quite secure.
(ATM PINs, because of the slow and limited trials possible.)
> I want the probability of breaching my offline password safe to be on-par with ligntning strike. 1 in a million or so, over 6 months. This requires 48 bits.
Which fits the entropy rules-of-thumb I earlier sent. 32-bits of
entropy "stops a naive individual with a day-job" but will not stop a
small organization trying to break your key using a bunch of GPUs in
parallel. Don't have any significant foes that interested in your
data? Then 48-bits is pretty good.
> 48 bits is reasonable to memorize, but not reasonable to demand somebody else to memorize. For example:
>
> worse-attention-flat-madden (4 words, 44 bits effective entropy)
> 75EF4A4990 (10 hex chars, 40 bits effective entropy)
> QgqAqLpu8y (10 non-ambiguous chars, 58 bits effective entropy)
> 6201859243 (10 numeric chars, 33 bits effective entropy)
> WgX7jRCqrh (10 alphanumeric chars, 59 bits effective entropy)
> kgu-150-KQJ-hnb (9 alpha, 3 numeric, 52 bits effective entropy)
I like your examples. (They make one of my points nicely.)
-kb
More information about the Discuss
mailing list