Educause Security Discussion mailing list archives
Re: Password entropy
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Tue, 25 Jul 2006 09:26:19 -0500
At 03:18 PM 7/24/2006, Valdis Kletnieks put fingers to keyboard and wrote:
Rough guidelines: 40 bits is laughable - a few hours work on a *single* PC will quite possibly break it (remember - this is "5 or 6 letters/digits" territory, and not a challenge to brute force in a day on modern CPUs).... 56 bits isn't considered sufficient anymore. The EFF had a box a while ago that could break that class in a day, and any zombie net of 10K or so machines could do it in similar time. 64 bits is far too close to 56 for comfort. I'd not trust it for anything that has to survive more that a few hours. 80 bits is 24 bits more (or about 16M times harder) than what the EFF box or a small zombie net can break in a day. So a zombie net of a million boxes would be grinding for several years. That's probably "strong enough" that the passphrase itself is your weakest link - going to 96 or 128 is just piling it on after that. (128 is well into "if we converted the entire planet into nanomachine computers, we *might* break it before the heat death of the universe"). Anything over 80 bits or so is "strong enough" - after that (actually, even before that), your biggest threats are the ones that don't care how long the passphrase is - keystroke loggers, social engineering, phishing, and other similar attacks...
So, just to be clear, a 12 character passphrase, depending on the distribution of special characters, capitalization, etc. is likely to fall into the 80 bit "strong enough" bucket. Yes? -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Robert Kerr (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Graham Toal (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Basgen, Brian (Jul 24)
- Re: Password entropy Roger Safian (Jul 24)
- Re: Password entropy Harold Winshel (Jul 24)
- Re: Password entropy Jimmy Kuo (Jul 24)
- Re: Password entropy Valdis Kletnieks (Jul 24)
- Re: Password entropy Roger Safian (Jul 25)
- Re: Password entropy Basgen, Brian (Jul 25)
- Re: Password entropy Alan Amesbury (Jul 25)
- Re: Password entropy Valdis Kletnieks (Jul 25)