how long should a password be?

[vedaal at hush.com]

Robert J. Hansen rjh at sixdemonbag.org
wrote on Mon May 5 10:36:16 CEST 2008 :

>> Everyone says it should be as long as possible

>Not at all.  At some point the passphrase becomes stronger than the
>symmetric encryption algorithm.  Then it's time to stop.


so,

assuming 95 keyboard possibilities 
(excluding special characters, but including 'space' as a 
possibility)

[95^19 = (3.77)(10^37)] < [2^128 = (3.40)(10^38)] 
< [95^20 = (3.58)(10^39)]

and

[95^38 = (1.42)(10^75)] < [2^256 = (1.15)(10^77)]
< [95^39 = (1.35)(10^77)]

(approximate estimations, truncating after 2 significant digits)

so,

for the passphrase to be as secure as a 128 bit block cipher,
it needs to have 20 random keyboard characters

and for it to be as secure as a 128 bit cipher, it needs to have 39 
random keyboard characters


i don't know what the correction factor needs to be 
if someone uses non-random long passphrases of dictionary words,
or a string acronym of memorable sentences

--btw
a nice way to include special characters,
is to use equations or programming notation as part of the 
passphrase

example:

e=m(c^2)

(here we have a unique luxury :-)
the equation doesn't have to be *valid*, just *memorable*)

in crypto, RSA
c = m^e mod n

so e=mc2 becomes:
e = m [(m^e)^2 mod n] = m [m^2e mod n] =  [e = m^(2e+1) mod n]
(not being 'picky' about squaring the mod n in the nonsense 
equation :-))

many similar memorable nonsense equations
as well as obfuscated perl one-liners, 
can be imagined by the geeky mind ;-)


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
What a capital idea! Click now for great vacation packages to Washington DC!
http://tagline.hushmail.com/fc/Ioyw6h4eQwZoKYXhIX4jPfFC91a4IN8I9LL8Sq8e3GHyn2izNGWs9p/