On 07/29/2013 08:31 AM, Edward Ned Harvey (blu) wrote:
There are two use cases for passwords: online and offline.
Absolutely. I was making the distinction between a password and en encryption key. Passwords can be quite short and still quite secure. (ATM PINs, because of the slow and limited trials possible.)
I want the probability of breaching my offline password safe to be on-par with ligntning strike. 1 in a million or so, over 6 months. This requires 48 bits.
Which fits the entropy rules-of-thumb I earlier sent. 32-bits of entropy "stops a naive individual with a day-job" but will not stop a small organization trying to break your key using a bunch of GPUs in parallel. Don't have any significant foes that interested in your data? Then 48-bits is pretty good.
48 bits is reasonable to memorize, but not reasonable to demand somebody else to memorize. For example: worse-attention-flat-madden (4 words, 44 bits effective entropy) 75EF4A4990 (10 hex chars, 40 bits effective entropy) QgqAqLpu8y (10 non-ambiguous chars, 58 bits effective entropy) 6201859243 (10 numeric chars, 33 bits effective entropy) WgX7jRCqrh (10 alphanumeric chars, 59 bits effective entropy) kgu-150-KQJ-hnb (9 alpha, 3 numeric, 52 bits effective entropy)
I like your examples. (They make one of my points nicely.) -kb _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
