There is no limit on the length of a passphrase,
Morton D. Trace
classpath at arcor.de
Wed Oct 22 01:00:18 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert J. Hansen wrote:
> Faramir wrote:
>> IIRC, once I saw somebody saying 128 bits is more than enough for a
>> good passphrase. And that beyond that lenght, there was no real strengh
>> gains... But maybe I am not recalling it correctly...
>
> This is something you've heard from a lot of people, probably, myself
> included. 128 bits is enough until we get some science fiction
> breakthroughs.
>
> Of course, the trick there is 128 bits _of entropy_, not 128 bits _of
> passphrase_. Conservatively speaking, there are probably about 1.5 bits
> of entropy per letter of English text, meaning you'd need about an
> 80-char English passphrase to max it out. Introducing alphanumeric
> characters, punctuation and the like will reduce this considerably.
>
>> Anyway, bruteforcing an 8 characters long SHA1 password, in a home
>> computer, would take months... even using several home computers to
>
> Think 'centuries.' The RC5/64 project brute-forced a 64-bit cipher
> using 18 months and a very large distributed computing system.
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
Measuring the strength of a randomly selected password
Dear list readers I just found this article.
http://www.redkestrel.co.uk/Articles/RandomPasswordStrength.html
Measuring the strength of a randomly selected password
Calculating the entropy of a password is here well explained,
I don't know if it is mathematically correct,
no proof is delivered, but it is easy to understand.
The entropy of a randomly selected password is based on its length and
the entropy of each character. The entropy of each character is given by
log-base-2 the size of the pool of characters the password is selected
from - see the formula below:
entropy per character = log2(n)
password entropy = l * entropy per character
Where n is the pool size of characters and l is the length of the password.
Thus the entropy of a character selected at random from, say, the
letters (a-z) would be
log2 (26) or 4.7 bits. The table below gives the entropy per character
for a number of different sized character pools.
Character Pool Available Characters (n) Entropy Per Character
digits 10 (0-9) 3.32 bits
case insensitive letters 26 (a-z) 4.7 bits
case sensitive letters and digits 62 (A-Z, a-z,0-9) 5.95 bits
all standard keyboard characters 94 6.55 bits
So, from the table above, we can see that a 20 character password chosen
at random from the keyboard's set of 94 printable characters would have
more than 128 bits (6.55 * 20) of entropy. A password with this much
entropy is infeasible to break by brute force (exhaustively working
through all possible character combinations).
===
I use the formula
y= log a base b
a=b ^ y
hence log a base b = ln(a) / ln (b) base e=2.71828182846....
in I table I used the log function with pase 10 which is irrelevant as
long as I use the same base in the nominator as in the denominator. IIRC
Denominator is down.
The Characters in Unicode
http://www.tbray.org/ongoing/When/200x/2003/04/26/UTF
Unicode currently defines just under 100,000 characters,
the entrophy would increase for a 20 character unicode passphrase
to be 20 * 19.93 bits = 398.6 bits.
here is my table
Character pool Available characters (n) Entropy per character in unit bits
digits 10 (0-9) 3.32192809
case insensitive
letters 26 (a-z) 4.70043972
case sensitive letters
and digits 62 (A-Z, a-z,0-9) 5.95419631
all standard keyboard
characters plus blank 95 The 95 graphic ASCII characters,
numbered 32 to 126 (decimal) 6.56985561
Unicode
Unicode currently defines
just under 100,000
characters,
Unicode and the
ISO/IEC 10646 Universal
Character Set (UCS) have
a much wider
array of characters, 1000000 19.93156857
one unicode character has approx three times the entropy as one ascii
character.
If I have done my homework correct.
6.56985561 * 3.0 = 19.71 bits of entropy for one character
I'd really like to see UTF-8 supported in GnuPG and be able to type some
characters from my keyboard,
and additionally select some cool unicode letters from a language only I
know. use the clipboard and insert that into the passphrase. Or as in
windows posible alt + unicode number.
hence 20 unicode letters would then have an entropy of 398.6 bits.
With only 7 unicode letters I reach an entropy of 7 * 19.93 = 139.5
bits Entropy
if I have understood it correct.
Can GnuPG accept UTF-8 Characters as passphrase input?
Please?
will additional UTF-8 unicode passphrase support increase the entropy
according to my entropy calculations?
Sincerely yours,
Morten Gulbrandsen
主バイトホイットフィールド
_____________________________________________________________________
Java programmer, C++ programmer
CAcert Assurer, GSWoT introducer, thawte Notary
Gossamer Spider Web of Trust http://www.gswot.org
Please consider the environment before printing this e-mail!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
Comment: For keyID and its URL see the OpenPGP message header
iEYEARECAAYFAkj+XwIACgkQ9ymv2YGAKVRyFACfWRndfNNckLrhHkTrXHQ0sfD6
vs4AoKtHvuQxUEj8O9mAk1lNUaJRxBQW
=lSeC
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list