|
Posted by Ari on July 12, 2007, 2:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Wed, 11 Jul 2007 19:57:50 +0000 (UTC), Mark Shroyer wrote:
>> On Tue, 10 Jul 2007 09:15:03 +0000 (UTC), Mark Shroyer wrote:
>>
>>> No, you shouldn't need to enter a 32-character password (although I
>>> can't say for sure because you still haven't specified what software
>>> you're talking about :) ). What usually happens is that the 256-bit
>>> symmetric key is generated as some hash of whatever password you
>>> provide. The longer and more random the password (until you get
>>> past 32 random ASCII characters, anyway), the more entropy in your
>>> 256-bit AES key and therefore the more theoretically secure it is --
>>> but in practice a dozen or so characters should be all the entropy
>>> you need, depending on the quality of your software's hash algorithm
>>> and how sensitive your data is.
>>
>> [...]
>>
>> Is it fair to say that if you used a passphrase such as:
>>
>> 6:Q?-jiF
>>
>> Then repeated it to make a 16 character passphrase, under attack to
>> break, that you haven't gained much entropy or protection? My thinking
>> is that a powerful adversary would have a passphrase breaking program
>> that would constantly search for replication.
>
> In my opinion, you're right -- you wouldn't gain much. I don't know
> personally whether the best black hat brute-force software tries for
> repetition in passwords, but it seems like a reasonable next angle
> of approach should a dictionary attack fail.
>
> So if you want double the strength in your password, generate twice
> as many random characters. Sure it might be annoying to memorize,
> but just think of it as an alternative to playing Nintendo's Brain
> Age -- with the added benefit of securing your data :)
>
> Mark
I have three 8 character rangen passwords and until I read my own words,
I never thought of combining them into one. Jeez.
| 
XML site map