Educause Security Discussion mailing list archives
Re: Password entropy
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 24 Jul 2006 16:18:14 -0400
On Mon, 24 Jul 2006 13:01:06 CDT, Roger Safian said:
At 12:05 PM 7/24/2006, Basgen, Brian put fingers to keyboard and wrote:This isn't going to be strong when combined with regular words. "At the moment" is 13 characters, at 3.5 bits of entropy, gives us 45.5 bits total.OK...so how long can I expect this phrase to last? Are there tools or spreadsheets that allow you to evaluate various combinations?
Rough guidelines: 40 bits is laughable - a few hours work on a *single* PC will quite possibly break it (remember - this is "5 or 6 letters/digits" territory, and not a challenge to brute force in a day on modern CPUs).... 56 bits isn't considered sufficient anymore. The EFF had a box a while ago that could break that class in a day, and any zombie net of 10K or so machines could do it in similar time. 64 bits is far too close to 56 for comfort. I'd not trust it for anything that has to survive more that a few hours. 80 bits is 24 bits more (or about 16M times harder) than what the EFF box or a small zombie net can break in a day. So a zombie net of a million boxes would be grinding for several years. That's probably "strong enough" that the passphrase itself is your weakest link - going to 96 or 128 is just piling it on after that. (128 is well into "if we converted the entire planet into nanomachine computers, we *might* break it before the heat death of the universe"). Anything over 80 bits or so is "strong enough" - after that (actually, even before that), your biggest threats are the ones that don't care how long the passphrase is - keystroke loggers, social engineering, phishing, and other similar attacks...
Attachment:
_bin
Description:
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
- Re: Password entropy Alan Amesbury (Jul 25)
- Re: Password entropy Valdis Kletnieks (Jul 25)