password paranoia

vedaal at hush.com vedaal at hush.com
Thu Feb 9 17:43:11 CET 2006


Gabriele Alberti wrote on Wed Feb 1 22:54:42 CET 2006:

] i have this paranoia since some time though.. 
If i use _symmetric_ cyphers (lets say a 256 bit) how long my 
password has to
be? 
Keeping in mind my password can be composed with all 95 writeable 
ascii chars,
using for example a 15 chars password gives me a "password space" 
of 95^15,
that is  463291230159753366058349609375 passwords..*much* smaller 
than the 256
bit keyspace (2^256,


2^256 ~= 1.1579 x 10^77

diceware ( http://world.std.com/~reinhold/diceware.html )
uses words for the passphrase and is much easier to remember 
(but much harder to type when you don't see the passphrase as you 
are typing it in ;-)  )

there are 7776 diceware words,
7776^20 ~= 6.5331 x 10^77  > 2^256

so it would need 20 diceware words to get a passphrase that would 
be as difficult to break, as brute forcing the keyspace of the 
symmetrical cipher

*but*

in gnupg, unless you _actively_ choose otherwise,
by using the option of 
's2k-cipher algo twofish' or 's2k-cipher algo aes256'
your secret key is, by default, encrypted with CAST5
which is only 128 bit


vedaal

 



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485




More information about the Gnupg-users mailing list