There is no limit on the length of a passphrase,
Robert J. Hansen
rjh at sixdemonbag.org
Tue Oct 21 13:43:38 CEST 2008
> IIRC, once I saw somebody saying 128 bits is more than enough for a
> good passphrase. And that beyond that lenght, there was no real strengh
> gains... But maybe I am not recalling it correctly...
This is something you've heard from a lot of people, probably, myself
included. 128 bits is enough until we get some science fiction
Of course, the trick there is 128 bits _of entropy_, not 128 bits _of
passphrase_. Conservatively speaking, there are probably about 1.5 bits
of entropy per letter of English text, meaning you'd need about an
80-char English passphrase to max it out. Introducing alphanumeric
characters, punctuation and the like will reduce this considerably.
> Anyway, bruteforcing an 8 characters long SHA1 password, in a home
> computer, would take months... even using several home computers to
Think 'centuries.' The RC5/64 project brute-forced a 64-bit cipher
using 18 months and a very large distributed computing system.
More information about the Gnupg-users