[Q] Diceware password size

Ryan Malayter rmalayter@bai.org
Tue May 27 16:28:02 2003

From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20
>Could someone help me figure out the value of 'n'
>given knowledge of current technology and the=20
>resourcefulness of the attacker?  (for instance,=20
>an attacker with 500 computers at 3GHZ).

Well, each diceware word represents 12.92 bits of entropy, so a 5-word
passphrase is slightly more than 64 bits of entropy. There's a good
model for a brute-force attack of this size: www.distributed.net broke
the 64-bit version of the RC5 algorithm via brute force. Their
statistics show that it would take the equivalent of 45,998 2GHz AMD
Athlon XP machines 395 days (average) break the 64-bit keyspace. This is
using hand-optimized client programs written in assembly language.

Now, you want to be conservative in your estimates of security, so you'd
have to assume that testing password hashes could be optimized to at
least the rate of distributed.net's RC5 client program. You'd also have
to make some assumtions about realative performance; some CPUs are
better at certain tasks. But assuming a 3 GHz P4 is 50% faster than a
2-GHZ Athalon, it would take a network of ~30,000 3 GHz machines 395
days to break a 5-word diceware passphrase.=20

But all of this is much ado about nothing: any serious attacker who
wanted your data would use a keystroke logging program, hidden camera,
or rubber hose to get your passphrase from you rather than try to crack
the encryption.

Do not meddle in the affairs of dragons, for you are crunchy=20
and taste good with ketchup.