How many characters to make Winzip AES 256 unbreakable?

Discussion in 'Computer Security' started by Zak, May 13, 2006.

  1. Zak

    Zak Guest

    Winzip offers 256 bit AES. So do other apps.

    If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
    no specials then how many characters do I need to use to make AES 256
    uncrackable by a brute force attack?

    The info out there talks mainly of key length but I am not familiar with
    this field and I can sense they are not talking about the length of the
    password I am using.

    There is a little bit here but it seems out of date:

    <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
    ssword/>
     
    Zak, May 13, 2006
    #1
    1. Advertising

  2. Almost any encryption is breakable if you throw enough horse power at the
    problem.

    --
    Regards,

    Richard Urban
    Microsoft MVP Windows Shell/User

    Quote from George Ankner:
    If you knew as much as you think you know,
    You would realize that you don't know what you thought you knew!

    "Zak" <> wrote in message
    news:Xns97C2C5EBF7A9764A18E@127.0.0.1...
    > Winzip offers 256 bit AES. So do other apps.
    >
    > If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
    > no specials then how many characters do I need to use to make AES 256
    > uncrackable by a brute force attack?
    >
    > The info out there talks mainly of key length but I am not familiar with
    > this field and I can sense they are not talking about the length of the
    > password I am using.
    >
    > There is a little bit here but it seems out of date:
    >
    > <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
    > ssword/>
    >
     
    Richard Urban, May 13, 2006
    #2
    1. Advertising

  3. Zak

    Imhotep Guest

    Zak wrote:

    > Winzip offers 256 bit AES. So do other apps.
    >
    > If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
    > no specials then how many characters do I need to use to make AES 256
    > uncrackable by a brute force attack?
    >
    > The info out there talks mainly of key length but I am not familiar with
    > this field and I can sense they are not talking about the length of the
    > password I am using.
    >
    > There is a little bit here but it seems out of date:
    >
    > <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
    > ssword/>


    ....nothing is unbreakable. The trick is to make it so difficult that is not
    worth the average hacker/crackers time...

    So, knowing that, the bigger (generally speaking) the password the better.
    However, you also want to make it is a non dictionary word with a wide
    variety of charters (alpha numeric, uppercase/lowercase, etc). The more
    random looking the password that better...

    -- Imhotep
     
    Imhotep, May 13, 2006
    #3
  4. Richard Urban wrote:
    > Almost any encryption is breakable if you throw enough horse power at the
    > problem.


    MVP, hein? Where did you buy that title?
     
    Sebastian Gottschalk, May 13, 2006
    #4
  5. AES encrypted files themselves are extremely secure if the decryption key is
    not available but in your case your password is the key. I am not sure
    exactly how Winzip hashes the password but take Windows XP as an example you
    need to use a complex password/pass phrase of at least 15 characters to
    consider the password uncrackable by today's standards. Also keep in mind
    that keyboard loggers are a risk in capturing your password that is a lot
    easier than cracking a password. Keyboard loggers can be software or
    hardware. --- Steve


    "Zak" <> wrote in message
    news:Xns97C2C5EBF7A9764A18E@127.0.0.1...
    > Winzip offers 256 bit AES. So do other apps.
    >
    > If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
    > no specials then how many characters do I need to use to make AES 256
    > uncrackable by a brute force attack?
    >
    > The info out there talks mainly of key length but I am not familiar with
    > this field and I can sense they are not talking about the length of the
    > password I am using.
    >
    > There is a little bit here but it seems out of date:
    >
    > <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
    > ssword/>
    >
     
    Steven L Umbach, May 13, 2006
    #5
  6. Zak

    nemo_outis Guest

    Zak <> wrote in news:Xns97C2C5EBF7A9764A18E@127.0.0.1:

    > Winzip offers 256 bit AES. So do other apps.
    >
    > If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
    > no specials then how many characters do I need to use to make AES 256
    > uncrackable by a brute force attack?
    >
    > The info out there talks mainly of key length but I am not familiar with
    > this field and I can sense they are not talking about the length of the
    > password I am using.
    >
    > There is a little bit here but it seems out of date:
    >
    > <http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_pa
    > ssword/>
    >


    In general you want to make the password/passphrase as strong as the
    underlying algorithm (256 bits in this case). With a character set of 62
    characters (a-z upper & lower case plus 0-9) you want 62^n >= 2^256, where
    n (an integer) is the number of random characters in the password.

    A little math results in n = 43.

    Regards,
     
    nemo_outis, May 13, 2006
    #6
  7. "nemo_outis" <> wrote in
    news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:

    > Zak <> wrote in
    > news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
    >
    >> Winzip offers 256 bit AES. So do other apps.
    >>
    >> If I use a password made up of ordinary characters (A-Z, a-z,
    >> 0-9) with no specials then how many characters do I need to use
    >> to make AES 256 uncrackable by a brute force attack?
    >>
    >> The info out there talks mainly of key length but I am not
    >> familiar with this field and I can sense they are not talking
    >> about the length of the password I am using.
    >>
    >> There is a little bit here but it seems out of date:
    >>
    >> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover
    >> _lost_pa ssword/>
    >>

    >
    > In general you want to make the password/passphrase as strong as
    > the underlying algorithm (256 bits in this case).


    Please would you explain 'strong' in this context?


    > With a
    > character set of 62 characters (a-z upper & lower case plus 0-9)
    > you want 62^n >= 2^256, where n (an integer) is the number of
    > random characters in the password.


    Why?


    > A little math results in n = 43.


    AIUI: given enough time a brute force attack will always succeed
    eventually. What time frame is your estimation method based upon?

    Other sources suggest very much lower numbers, including the OP
    quoted source. Another example is
    http://lastbit.com/rm_bruteforce.asp, which estimates that assuming
    a brute force trisl speed is 500,000 passwords per second, a random
    9-character key of both lowercase and uppercase letters (i.e. 52
    possibilities) would on average take 178 years to crack. Why is
    there such a large discrepancy vs. your estimate?
     
    Frazer Jolly Goodfellow, May 14, 2006
    #7
  8. Zak

    Arthur T. Guest

    In Message-ID:<Xns97C2C5EBF7A9764A18E@127.0.0.1>,
    Zak <> wrote:

    >If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
    >no specials then how many characters do I need to use to make AES 256
    >uncrackable by a brute force attack?


    Well, to make your password not the weak point, you need 43
    totally random characters.

    Here's how that's figured:

    AES256 uses a 256-bit key. There are, therefore, 2**256 possible
    keys.

    26+26+10=62

    62**43 is approximately 2**256

    --
    Arthur T. - ar23hur "at" intergate "dot" com
    Looking for a good MVS systems programmer position
     
    Arthur T., May 14, 2006
    #8
  9. Zak

    nemo_outis Guest

    Frazer Jolly Goodfellow <> wrote in
    news:Xns97C3A7C0B653frz@62.253.170.163:

    > "nemo_outis" <> wrote in
    > news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:
    >
    >> Zak <> wrote in
    >> news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
    >>
    >>> Winzip offers 256 bit AES. So do other apps.
    >>>
    >>> If I use a password made up of ordinary characters (A-Z, a-z,
    >>> 0-9) with no specials then how many characters do I need to use
    >>> to make AES 256 uncrackable by a brute force attack?
    >>>
    >>> The info out there talks mainly of key length but I am not
    >>> familiar with this field and I can sense they are not talking
    >>> about the length of the password I am using.
    >>>
    >>> There is a little bit here but it seems out of date:
    >>>
    >>> <http://www.dekart.com/howto/howto_disk_encryption/howto_recover
    >>> _lost_pa ssword/>
    >>>

    >>
    >> In general you want to make the password/passphrase as strong as
    >> the underlying algorithm (256 bits in this case).

    >
    > Please would you explain 'strong' in this context?



    Strong for a password means resistant to being found. If a password is
    truly random there is no more efficient way to find it than brute force
    (i.e., exhaustive search). While one could be unbelievably lucky and get
    it on the first guess, in general (i.e., the expectational value) one
    would need 2^255 guesses. There is NO possibility of doing that with any
    computer that now exists or that will exist for the foreseeable future.

    To illustrate, Let's say, overly generously, that the fastest computer
    today is capable of 1 petaflop (a quadrillion ops/second). Let's say it
    could try one password guess per op. A trillion, trillion,trillion such
    computers working for the 15 billion years the universs has been in
    existence (since the big bang) would not have made a dent in the problem
    (i.e., would only have looked at 1 one-billionth of 1 percent of the
    possible passwords)! To me that seems strong enough!



    >> With a
    >> character set of 62 characters (a-z upper & lower case plus 0-9)
    >> you want 62^n >= 2^256, where n (an integer) is the number of
    >> random characters in the password.

    >
    > Why?



    >> A little math results in n = 43.

    >
    > AIUI: given enough time a brute force attack will always succeed
    > eventually. What time frame is your estimation method based upon?



    No, brute force will NOT succeed! There isn't nearly enough time before
    the heat death of the universe!

    The fastest known computer would need a 100 billion, trillion, trillion,
    trillion times the entire life of the universe!


    > Other sources suggest very much lower numbers, including the OP
    > quoted source. Another example is
    > http://lastbit.com/rm_bruteforce.asp, which estimates that assuming
    > a brute force trisl speed is 500,000 passwords per second, a random
    > 9-character key of both lowercase and uppercase letters (i.e. 52
    > possibilities) would on average take 178 years to crack. Why is
    > there such a large discrepancy vs. your estimate?



    The explanation in two words, m'boy: Logarithms and exponents.
    It's time you refreshed your memory regarding them.

    A 43-character password (drawn from 52 possible characters) is NOT 5
    times as hard to guess as a 9-character one. No, it is approximately ten
    billion, trillion, trillion, trillion, trillion times as hard!

    Regards,
     
    nemo_outis, May 14, 2006
    #9
  10. Zak

    nemo_outis Guest

    >
    > To illustrate, Let's say, overly generously, that the fastest computer
    > today is capable of 1 petaflop (a quadrillion ops/second). Let's say
    > it could try one password guess per op. A trillion, trillion,trillion
    > such computers working for the 15 billion years the universs has been
    > in existence (since the big bang) would not have made a dent in the
    > problem (i.e., would only have looked at 1 one-billionth of 1 percent
    > of the possible passwords)! To me that seems strong enough!


    Whoops - make that 1 one-millionth of 1 percent. I should know better than
    to trust my calculating after two glasses of Montrachet :).

    Regards,
     
    nemo_outis, May 14, 2006
    #10
  11. "nemo_outis" <> wrote in
    news:Xns97C2E3FFB9A8Fabcxyzcom@204.153.244.170:

    > Frazer Jolly Goodfellow <> wrote in
    > news:Xns97C3A7C0B653frz@62.253.170.163:
    >
    >> "nemo_outis" <> wrote in
    >> news:Xns97C2A6B65D746abcxyzcom@204.153.244.170:
    >>
    >>> Zak <> wrote in
    >>> news:Xns97C2C5EBF7A9764A18E@127.0.0.1:
    >>>
    >>>> Winzip offers 256 bit AES. So do other apps.
    >>>>
    >>>> If I use a password made up of ordinary characters (A-Z, a-z,
    >>>> 0-9) with no specials then how many characters do I need to
    >>>> use to make AES 256 uncrackable by a brute force attack?
    >>>>
    >>>> The info out there talks mainly of key length but I am not
    >>>> familiar with this field and I can sense they are not talking
    >>>> about the length of the password I am using.
    >>>>
    >>>> There is a little bit here but it seems out of date:
    >>>>
    >>>> <http://www.dekart.com/howto/howto_disk_encryption/howto_recov
    >>>> er _lost_pa ssword/>
    >>>>
    >>>
    >>> In general you want to make the password/passphrase as strong
    >>> as the underlying algorithm (256 bits in this case).

    >>
    >> Please would you explain 'strong' in this context?

    >
    >
    > Strong for a password means resistant to being found. If a
    > password is truly random there is no more efficient way to find
    > it than brute force (i.e., exhaustive search). While one could
    > be unbelievably lucky and get it on the first guess, in general
    > (i.e., the expectational value) one would need 2^255 guesses.
    > There is NO possibility of doing that with any computer that now
    > exists or that will exist for the foreseeable future.
    >
    > To illustrate, Let's say, overly generously, that the fastest
    > computer today is capable of 1 petaflop (a quadrillion
    > ops/second). Let's say it could try one password guess per op.
    > A trillion, trillion,trillion such computers working for the 15
    > billion years the universs has been in existence (since the big
    > bang) would not have made a dent in the problem (i.e., would
    > only have looked at 1 one-billionth of 1 percent of the possible
    > passwords)! To me that seems strong enough!
    >

    Slight overkill IMO.

    >
    >>> With a
    >>> character set of 62 characters (a-z upper & lower case plus
    >>> 0-9) you want 62^n >= 2^256, where n (an integer) is the
    >>> number of random characters in the password.

    >>
    >> Why?

    >
    >>> A little math results in n = 43.

    >>
    >> AIUI: given enough time a brute force attack will always
    >> succeed eventually. What time frame is your estimation method
    >> based upon?

    >
    > No, brute force will NOT succeed! There isn't nearly enough time
    > before the heat death of the universe!

    I *did* qualify my point- "given enough time... ...eventually". I'm
    impressed with your confidence in our knowledge of the lifetime of
    the universe - but I bet you are wrong.

    >
    > The fastest known computer would need a 100 billion, trillion,
    > trillion, trillion times the entire life of the universe!
    >
    >
    >> Other sources suggest very much lower numbers, including the OP
    >> quoted source. Another example is
    >> http://lastbit.com/rm_bruteforce.asp, which estimates that
    >> assuming a brute force trisl speed is 500,000 passwords per
    >> second, a random 9-character key of both lowercase and
    >> uppercase letters (i.e. 52 possibilities) would on average take
    >> 178 years to crack. Why is there such a large discrepancy vs.
    >> your estimate?

    >
    >
    > The explanation in two words, m'boy: Logarithms and exponents.
    > It's time you refreshed your memory regarding them.

    Patronising git.
    >
    > A 43-character password (drawn from 52 possible characters) is
    > NOT 5 times as hard to guess as a 9-character one.

    I did not say that it is - you misunderstood my point, see below.

    > No, it is
    > approximately ten billion, trillion, trillion, trillion,
    > trillion times as hard!

    ....I'm well aware of that, also of overkill.
    >


    I was seeking information on what underlying assumptions you were
    making, given you'd not mentioned *time* as a factor, and also
    where you'd plucked 43 from. Other sources variously suggest that a
    key length of 8-20 random characters [from 62 possibilities] is
    sufficient for the key to be practically uncrackable for most
    people's purposes - i.e. crack times of 10's of years with
    practically available resources.
     
    Frazer Jolly Goodfellow, May 14, 2006
    #11
  12. Zak

    nemo_outis Guest

    Frazer Jolly Goodfellow <> wrote in
    news:Xns97C397E0D61C0frz@62.253.170.163:

    >>> Please would you explain 'strong' in this context?

    >>
    >> Strong for a password means resistant to being found. If a
    >> password is truly random there is no more efficient way to find
    >> it than brute force (i.e., exhaustive search). While one could
    >> be unbelievably lucky and get it on the first guess, in general
    >> (i.e., the expectational value) one would need 2^255 guesses.
    >> There is NO possibility of doing that with any computer that now
    >> exists or that will exist for the foreseeable future.
    >>
    >> To illustrate, Let's say, overly generously, that the fastest
    >> computer today is capable of 1 petaflop (a quadrillion
    >> ops/second). Let's say it could try one password guess per op.
    >> A trillion, trillion,trillion such computers working for the 15
    >> billion years the universs has been in existence (since the big
    >> bang) would not have made a dent in the problem (i.e., would
    >> only have looked at 1 one-billionth of 1 percent of the possible
    >> passwords)! To me that seems strong enough!


    > Slight overkill IMO.



    Then WTF do you want a 256-bit algorithm like AES?
    However, if you do choose such an algorithm you should choose an
    equivalently hard password.


    >> The explanation in two words, m'boy: Logarithms and exponents.
    >> It's time you refreshed your memory regarding them.


    > Patronising git.



    Moronic git.


    >> A 43-character password (drawn from 52 possible characters) is
    >> NOT 5 times as hard to guess as a 9-character one.

    > I did not say that it is - you misunderstood my point, see below.
    >
    >> No, it is
    >> approximately ten billion, trillion, trillion, trillion,
    >> trillion times as hard!


    ...I'm well aware of that, also of overkill.


    No, you weren't well aware of it; otherwise you would never have asked
    your moronic questions. And no one but a moron who completely
    misunderstood the problem (i.e., you!) would have said (as you did!) that
    brute force could crack such a password.


    > I was seeking information on what underlying assumptions you were
    > making, given you'd not mentioned *time* as a factor, and also
    > where you'd plucked 43 from. Other sources variously suggest that a
    > key length of 8-20 random characters [from 62 possibilities] is
    > sufficient for the key to be practically uncrackable for most
    > people's purposes - i.e. crack times of 10's of years with
    > practically available resources.



    Where I "plucked" 43 from? You moron, I laid out the calculation in
    black and white. However, I clearly didn't make sufficient allowance
    for your stupidity in not being able to perform simple math. Should I
    pre-chew your food for you, too?

    So, once again: despite whatever you may have read, the best plan is to
    make sure that the password is not weaker than the algorithm.

    Regards,
     
    nemo_outis, May 14, 2006
    #12
  13. nemo_outis wrote:

    > Then WTF do you want a 256-bit algorithm like AES?


    - reserves against future attacks
    - security against quantum computitional attacks

    > However, if you do choose such an algorithm you should choose an
    > equivalently hard password.


    Better: passphrase!

    BTW, key strengthening exists and it's stupid that WinZip does not make
    use of it. But their implementation is b0rken anyway.

    > So, once again: despite whatever you may have read, the best plan is to
    > make sure that the password is not weaker than the algorithm.


    Only if your goal is to not let the passphrase being the weakest link. A
    noble, but uncommon and impractical goal.
     
    Sebastian Gottschalk, May 14, 2006
    #13
  14. Zak

    nemo_outis Guest

    Sebastian Gottschalk <> wrote in news:4cou00F16qrdoU1
    @news.dfncis.de:

    > nemo_outis wrote:
    >
    >> Then WTF do you want a 256-bit algorithm like AES?

    >
    > - reserves against future attacks
    > - security against quantum computitional attacks



    The first point was discussed here recently (including input from me).
    As for the second point: if quantum computing is feasible AES256 will
    likely be insufficient for long-term use. To a first approximation
    quantum computing will halve the "effective" length of symmetric
    algorithms like AES (i.e. square-root time) with AES256 effectively
    reduced to AES128 in strength. (Quantum computing wil be more ominous
    for asymmetric ciphers, breaking (some of) them nearly instantaneously.)


    >> However, if you do choose such an algorithm you should choose an
    >> equivalently hard password.

    >
    > Better: passphrase!



    The question was posed and the answer (and supporting math) was presented
    in terms of strings of random characters: passwords.

    However, I do agree that passphrases are preferable where human memory
    comes into play. Constructing them raises other issues, issues which I
    have discussed here before but not recently.


    > BTW, key strengthening exists and it's stupid that WinZip does not make
    > use of it. But their implementation is b0rken anyway.
    >
    >> So, once again: despite whatever you may have read, the best plan is

    to
    >> make sure that the password is not weaker than the algorithm.


    > Only if your goal is to not let the passphrase being the weakest link.

    A
    > noble, but uncommon and impractical goal.



    It seems more than a little imprudent to gratuitously weaken one's
    security by picking a password weaker than the underlying algorithm,
    especially if the reason is nothing more than illusory convenience.
    (Memorizing, say, a 30-character random string seems to me every bit as
    impractical and no more convenient for most humans as memorizing a 43-
    character one.)

    It does not require great nobility and it is entirely practical to
    support passwords/passphrases with strength at least equivalent to the
    underlying algorithm. Many current encryption packages provide exactly
    this feature, and do so in large part for the reasons I have described..

    Regards,
     
    nemo_outis, May 14, 2006
    #14
  15. nemo_outis wrote:

    > The question was posed and the answer (and supporting math) was presented
    > in terms of strings of random characters: passwords.


    Or you could simply use the key and express it with printable characters...

    > It seems more than a little imprudent to gratuitously weaken one's
    > security by picking a password weaker than the underlying algorithm,
    > especially if the reason is nothing more than illusory convenience.


    'weaken' is probably the wrong term, 'not achieving' proposes the
    problem much better. The security is always min(user,system), so the
    weakest one will always weaken the stronger one. You cannnot simply tell
    that the system is already given and the user has to adapt to it, but
    the user is given as well.
     
    Sebastian Gottschalk, May 14, 2006
    #15
  16. Zak

    TwistyCreek Guest

    nemo_outis wrote:

    >> Slight overkill IMO.

    >
    > Then WTF do you want a 256-bit algorithm like AES? However, if you do
    > choose such an algorithm you should choose an equivalently hard password.


    You're technically correct, but in the real world often times pass phrases
    don't carry as much of the burden of security as the algorithm. The
    encrypted data must be secure while out on the world, while passwords need
    only stand up to a much weaker attacker. An attacker who is aided greatly
    by the things people often do to compensate for not being able to remember
    those mathematically ideal passwords.

    And in cases where a stronger attacker has the keys, they typically the
    passwords or can get them with little or no effort at all. Any physical
    compromise of the keys would invalidate them regardless of whether the
    password was known, because it indicates a situation where something like
    a keylogger has or will glean that information.

    Passwords really don't have to match the strength of the algorithm in the
    real world most of the time, and when they do, the risk should be
    mitigated with good physical security anyway, and you shouldn't be using
    simple PKI or any password based "consumer grade" security to begin with.

    > So, once again: despite whatever you may have read, the best plan is to
    > make sure that the password is not weaker than the algorithm.


    The "best plan" is to make sure your efforts defeat the attackers you're
    likely to encounter. The best password in the world is meaningless if it's
    on a sticky note under the keyboard, and/or a password that only prevents
    your mom from guessing it is meaningless if you have sufficient physical
    security for your scenario.
     
    TwistyCreek, May 14, 2006
    #16
  17. Zak

    nemo_outis Guest

    TwistyCreek <> wrote in
    news::

    > nemo_outis wrote:
    >
    >>> Slight overkill IMO.

    >>
    >> Then WTF do you want a 256-bit algorithm like AES? However, if you do
    >> choose such an algorithm you should choose an equivalently hard
    >> password.

    >
    > You're technically correct, but in the real world often times pass
    > phrases don't carry as much of the burden of security as the
    > algorithm.



    I beg to differ. Most real-world crypto breaches have been compromises
    of the password/passphrase rather than cracking of the algorithm (which,
    so far as is known, is impossible for strong modern algorithms). The
    most popular password compromises include guessing/trying weak passwords,
    input observation (keyloggers, video, acoustics, etc.), finding records
    of the passwords (e.g., written in a journal), and rubber-hose methods.

    So, if one is going to have a password (or passphrase), there is
    virtually no downside in having one as strong as the algorithm - the
    payoff for using a shorter one is close to nil. (As I said, memorizing a
    30-character password is no more attractive than a 43-character one.)


    > The "best plan" is to make sure your efforts defeat the attackers
    > you're likely to encounter. The best password in the world is
    > meaningless if it's on a sticky note under the keyboard, and/or a
    > password that only prevents your mom from guessing it is meaningless
    > if you have sufficient physical security for your scenario.



    The best plan to defeat your attackers is to use a full-strength password
    - especially since the incremental cost in time, trouble, money and
    effort for doing so is next to nil. How to safeguard the password is a
    problem largely independent of its length (except for ones so short and
    weak as to be memorizable).

    Regards,

    PS As for how to store a unmemorizably long password, there are several
    methods including hardware tokens carried on the person used alone or in
    conjunction with memorized data and even biometrics (something you have,
    something you know, something you are). But writing the password down is
    by no means invariably foolish. To the contrary, the US navy (and other
    agencies) suggests the following protocol:
    ___

    # Store it [the password] appropriately. Write the password on opaque
    paper (a 3 x 5 index card is acceptable). Fold the sheet twice and place
    it in an envelope. Indicate what the password is for - i.e., user
    "jschmoe" on host "frackle" on both the sheet and the exterior of the
    envelope. After you close and seal the envelope, sign your name and date
    across the seal. Place the envelope in a container commensurate with the
    information that can be accessed with the password. For example,
    passwords that grant access to a systems which contains (or control
    access to) classified information must be stored in a container approved
    for that level of classified information. You don't need to buy a
    separate safe for password storage for systems located within a vault.
    They can be stored in the vault as long as they are not kept in the open.
    If you have passwords for Unclassified systems, it is a good idea to
    store them in a Secret safe as well.

    # Use the envelope when needed. If you ever forget your password,
    retrieve the envelope from the storage container and open it. After you
    have recalled the password, place it in a new envelope. Sign and seal
    the envelope as above. If someone else who is authorized to access your
    information in your absence needs your password (this should be
    negotiated and documented in advance), they can use the procedure above
    except they will write on the envelope when and why they opened it. When
    you return to work, change your password and place the new one in an
    envelope as described above.
    ___

    Of course, such protocols assume that we have, or have access to, some
    facility in which physical control and custody is bombproofedly secure.
    This may be problematic for those of us who don't have such a facility
    with armed guards on call 24 hours a day :)
     
    nemo_outis, May 14, 2006
    #17
  18. Zak

    TwistyCreek Guest

    Arthur T. wrote:

    > In Message-ID:<Xns97C2C5EBF7A9764A18E@127.0.0.1>, Zak
    > <> wrote:
    >
    >>If I use a password made up of ordinary characters (A-Z, a-z, 0-9) with
    >>no specials then how many characters do I need to use to make AES 256
    >>uncrackable by a brute force attack?

    >
    > Well, to make your password not the weak point, you need 43
    > totally random characters.


    <snip accurate math>

    Which would more often than not make your password considerably weaker
    than something like Diceware or a "random pronounceable" password of
    shorter length because in the real world nobody is going to remember 43
    totally random characters. That means they'll write it down, or secure it
    with something a lot weaker like Password Safe and "mydogsname" as a
    master password. Or inversely, use it to secure all other "lesser"
    passwords which would all be compromised by one breach.

    Real world scenarios dictate more "rational" passwords, and sufficient
    physical security. Or the whole thing usually breaks horribly. :(
     
    TwistyCreek, May 14, 2006
    #18
  19. Zak

    nemo_outis Guest

    TwistyCreek <> wrote in news:5CLVJIKD38851.6280902778
    @twistycreek.com:

    > Arthur T. wrote:
    >
    >> In Message-ID:<Xns97C2C5EBF7A9764A18E@127.0.0.1>, Zak
    >> <> wrote:
    >>
    >>>If I use a password made up of ordinary characters (A-Z, a-z, 0-9)

    with
    >>>no specials then how many characters do I need to use to make AES 256
    >>>uncrackable by a brute force attack?

    >>
    >> Well, to make your password not the weak point, you need 43
    >> totally random characters.

    >
    > <snip accurate math>
    >
    > Which would more often than not make your password considerably weaker
    > than something like Diceware or a "random pronounceable" password of
    > shorter length because in the real world nobody is going to remember 43
    > totally random characters. That means they'll write it down, or secure

    it
    > with something a lot weaker like Password Safe and "mydogsname" as a
    > master password. Or inversely, use it to secure all other "lesser"
    > passwords which would all be compromised by one breach.
    >
    > Real world scenarios dictate more "rational" passwords, and sufficient
    > physical security. Or the whole thing usually breaks horribly. :(




    The question originally raised was what strength a password should have.
    It was raised in the context of a random string drawn from a character
    pool. The question was answered.

    How to store such a password is an entirely different question. Human
    beings, with rare exceptions, are very poor at remembering long strings
    of random characters. But that human limitation does not make the
    password itself a whit weaker. Moreover, accomodating that human
    limitation is a very poor reason for shortening and weakening the
    password. Compounding weaknesses is poor strategy.

    There are a number of ways of addressing the problem, including secure
    storage and passphrases. Passphrases are especially attractive since
    human beings are remarkably good at remembering structured information
    such as phrases or sentences, even nonsense ones. Using a rough median
    estimate of the "Shannon entropy" of ordinary English as 1.2
    bits/character, a sentence of about 200 characters should have strength
    equivalent to AES 256. The sentence should not, of course, be drawn from
    a book or novel, especially popular ones. Sentences of the form (but
    longer than) "A purple aardvark cavorts in a grotto of kumquat rinds."
    will do nicely.

    Regards,

    PS The ability of folks to memorize verbatim even long pieces of
    structured information is illustrated by how many folks can recite the
    Lord's prayer by heart.

    PPS But all this is addressing the security of the *system* not the
    password. A valid, if broader, question, but not the question originally
    posed.
     
    nemo_outis, May 14, 2006
    #19
  20. Zak

    Aaron Guest

    > To illustrate, Let's say, overly generously, that the fastest computer
    > today is capable of 1 petaflop (a quadrillion ops/second). Let's say it
    > could try one password guess per op. A trillion, trillion,trillion such
    > computers working for the 15 billion years the universs has been in
    > existence (since the big bang) would not have made a dent in the problem
    > (i.e., would only have looked at 1 one-billionth of 1 percent of the
    > possible passwords)! To me that seems strong enough!
    >
    >With a character set of 62 characters (a-z upper & lower case plus 0-9)
    >you want 62^n >= 2^256, where n (an integer) is the number of
    >random characters in the password.


    Using your numbers, 62 characters, 10^15 guesses per second "brute
    force", and no timeouts for incorrect guesses. Adjust times by dividing
    by the number of such computers guessing.

    For one PetaFlop computer:

    8 or less characters takes less than 1 second
    9 characters takes 13.5 seconds
    10 characters takes ~14 minutes
    11; ~14.5 hours
    12; ~3.7 days
    13; ~6.4 years
    14; 393 years
    15; 24,365 years
    16; 1,510,647 years
    17; 93,660,129 years
    18; 5.807E+9 years
    Note: per wikipedia, age of Earth = 4.55E+9 years,
    age of the universe is ~13.7E+9 years.
    19; 3.600E+11 years
    20; 2.232E+13 years
    ..
    ..
    ..
    43; 3.747E+54 years (a trillion, trillion,trillion would
    need 3.747E+18 years)

    Statistically, in multiple attempts, it would be expected that the runs
    would average 1/2 of a full run as given above (sometimes it would be
    quick, sometimes loooong, and distributed as randomly as the randomness
    of the password).

    The key point being that each additional character means a brute force
    attack requires 62 times longer than the previous. Key loggers and such
    eliminate the guessing, obviously.

    BTW, I like your 'put it in a secure envelope' method.

    --
    I'm glad my Mom named me Aaron,
    That's what everybody calls me.
     
    Aaron, May 14, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Caruso
    Replies:
    1
    Views:
    10,919
  2. Jim Spencer

    TRADE 256 Compact Flash and Reader for 256 SD

    Jim Spencer, Oct 10, 2003, in forum: Digital Photography
    Replies:
    3
    Views:
    403
  3. max

    WPA AES & WPA2 AES

    max, Feb 13, 2007, in forum: Wireless Networking
    Replies:
    3
    Views:
    10,003
    Jack \(MVP-Networking\).
    Feb 14, 2007
  4. Ike

    256 + 256 = 384 !!??!

    Ike, May 25, 2006, in forum: Computer Support
    Replies:
    23
    Views:
    1,135
    Toolman Tim
    May 26, 2006
  5. Bakko
    Replies:
    14
    Views:
    2,589
    Sebastian G.
    Jan 13, 2008
Loading...

Share This Page