Re: Securing a Folder
- From: "nemo_outis" <abc@xxxxxxx>
- Date: Tue, 11 Nov 2008 15:14:54 GMT
species8350 <not_here.5.species8350@xxxxxxxx> wrote in news:8a7de80a-
6ae7-4b2b-873c-e64b2760e77b@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:
Nemo,
Thanks for the response.
So it seems that 15 digits is the minimum for a password.
Would a 15 digit number be less secure than a 15 digit phrase.
How strong a password should be is dependent on how valuable the data is
to you (or your adversary), and on the adversary's resources and
commitment. Generally speaking, you wish to make the "cost" (in time,
trouble, money, and effort) of deciphering greater (ideally, much
greater) than the value of the data, subject to your own "cost"
constraints (e.g., how much of a pain in the ass it is to remember a 30-
character password).
Speaking loosely (e.g., ignoring some of Truecrypt's obstacles to rapidly
testing many passwords) modern computers can test several million
passwords a second (much more if aids like the Nvidia GPU are invoked and
much more again if many PCs are networked). So the password must be
(randomly) drawn from a set larger than it is computationally practical
for the adversary to test.
The mathematics for random passwords go as follows (passphrases can be
somewhat different but the principles are similar). The character set
could be just numbers (10 of them), lower-case letters (26), upper-case
letters (26), and punctuation and special characters (varies, but say 10-
50), or various combinations of the preceding, such as lower- and upper-
case letters and numbers (62). Let's call this number C.
And let's call the number of characters in the password N. Then the
"strength" of the password (i.e., the number of possible ones) is C^N.
So you can make a password stronger by drawing from either a bigger
character set, by making it longer, or by both. But longer pays off MUCH
faster!
For, say, 10 random lower-case characters (26 of them) that means the
number of possible passwords is about 140 trillion (26^10). That seems a
lot but a single PC that could check 3 million (or so) passwords a second
would expect to break it in about 9 months (1/2 the maximum time). Ten
years from now (assuming the secret should still be kept secret) that
might be reduced to less than three days (assuming computers will double
in power every 18 months or so).
The NSA probably has computers that are 1000 times as powerful as a PC,
so if they are the adversary they could break the example password today
in only 6 hours.
The chief points are:
1) How strong your password should be is dependent on the value of the
data, how long it must stay secure, who your adversary is (his
capabilities), and how bad your adversary wants it and how much effort
he's willing to use to get it.
2) Longer passwords get stronger (and shorter ones get weaker) not just
quickly but VERY, VERY QUICKLY. A 15- (lower-case) character password is
12 million times stronger than a 10-character one! (not just 50% stronger
as many people think!)
3) It is usually desirable to add a "cushion" of extra password strength
to allow for increases in future computing power (or breakthroughs in the
crypto math). The longer into the future the data must remain secure,
the more cushion required.
Regards,
.
- References:
- Securing a Folder
- From: species8350
- Re: Securing a Folder
- From: nemo_outis
- Re: Securing a Folder
- From: species8350
- Re: Securing a Folder
- From: Frank Merlott
- Re: Securing a Folder
- From: Bresco
- Re: Securing a Folder
- From: Bear Bottoms
- Re: Securing a Folder
- From: invalid
- Re: Securing a Folder
- From: Bear Bottoms
- Re: Securing a Folder
- From: species8350
- Securing a Folder
- Prev by Date: Re: Securing a Folder
- Next by Date: Re: Securing a Folder
- Previous by thread: Re: Securing a Folder
- Next by thread: Re: Securing a Folder
- Index(es):
Relevant Pages
|
