Discussion in 'Computer Security' started by Borked Pseudo Mailed, May 12, 2009.


    How long should my passphrase be?

    I recommend five words for most users.

    In their February 1996 report, "Minimal Key Lengths for Symmetric
    Ciphers to Provide Adequate Commercial Security" a group of
    cryptography and computer security experts -- Matt Blaze, Whitfield
    Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric
    Thompson, and Michael Weiner -- stated:

    "To provide adequate protection against the most serious threats...
    keys used to protect data today should be at least 75 bits long. To
    protect information adequately for the next 20 years ... keys in newly-
    deployed systems should be at least 90 bits long."

    A five-word Diceware passphrase has an entropy of at least 64.6 bits;
    six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits,
    four words 51.6 bits. Inserting an extra letter at random adds about 10
    bits of entropy. Here is a rough idea of how much protection various
    lengths provide, based on updated estimates by A.K. Lenstra (See Needless to say, projections for the far future have
    the most uncertainty.

    * Four words are breakable with a hundred or so PCs.
    * Five words are only breakable by an organization with a large
    * Six words appear unbreakable for the near future, but may be
    within the range of large organizations by around 2014.
    * Seven words and longer are unbreakable with any known technology,
    but may be within the range of large organizations by around 2030.
    * Eight words should be completely secure through 2050.

    Pick your passphrase size based on the level of security you want.

    Another way to think about passphrase length is to consider what
    security precautions you take to physically protect your computer and
    data. Here is a list of possible passphrase lengths and commensurate
    security precautions. The list of precautions is not intended to be
    complete. I am not trying to discourage anyone from using longer
    passphrases if they feel up to it, but the added strength without
    comparable physical security for your computer is of limited value.

    4 words
    * You would be content to keep paper copies of the encrypted
    documents in an ordinary desk or filing cabinet in an un-secured office.

    5 words
    * You need or want strong security, but take no special precautions
    to protect your computer from unauthorized physical access, beyond
    locking the front door of your house or office.

    6 words
    * Your computer is protected from unauthorized access at all times
    when not in your personal possession by being locked in a room or
    cabinet in a building where access is controlled 24 hours a day or that
    is protected by a high quality alarm service.
    * Routine cleaning and building maintenance people do not have
    physical access to your computer when you are not present.
    * You regularly use an up-to-date anti-virus program purchased off
    the floor at a computer store.
    * You have verified the signatures on your copy of PGP or your
    installed Hushmail 2 client.
    * You never run unverified downloaded software, e-mail attachments
    or unsolicited disks received through the mail on your computer.

    Note: However I do encourage using six or more words on systems that
    use the passphrase directly to form a transmission key. Such systems
    include Hushmail, disk encryption (e.g. Apple's FileVault),
    Ciphersaber, and WiFi's WPA.

    7 words
    * You take all the steps listed under 6 words above, and:
    * Your computer is kept in a safe or vault at all times when it is
    not in sight of you or someone you trust.
    * Your computer was purchased off the floor at a randomly selected
    computer store.
    * All the software used on your computer was distributed with a
    strong, independently verified electronic signature that you checked,
    or was purchased off the floor in a randomly selected computer store
    * Your computer has never been repaired or upgraded by anyone you
    do not trust completely.
    * All disks and tapes used with your computer are either kept in a
    safe or physically destroyed.
    * You take precautions against audio and video surveillance when
    entering passphrases.
    * You change your PGP encryption key regularly (at least once a
    * You have taken precautions against TEMPEST attacks. See the
    chapter "Commonsense and Cryptography," in Internet Secrets, from IDG
    Books Worldwide, for a discussion of what this involves.

    For people seeking long term data protection (greater than 10 years) I
    would recommend adding one word to the above suggestions.
    Borked Pseudo Mailed, May 12, 2009
    1. Advertisements

  2. ©Ari®

    ©Ari® Guest

    On Tue, 12 May 2009 09:07:47 -0600 (MDT), Borked Pseudo Mailed wrote:

    > * You have verified the signatures on your copy of PGP or your
    > installed Hushmail 2 client.

    You just shot your load all over your face with this one, huge, major

    Hushmail has been severely compromised for ages.
    A fireside chat not with Ari!
    Motto: Live To Spooge It!
    ©Ari®, May 12, 2009
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AdminKen

    Wireless LAN with PEAP and Passwords Aironet 1200

    AdminKen, Mar 30, 2005, in forum: Wireless Networking
    Jeffrey Chong
    Sep 4, 2006
  2. Michael King

    Change password with 802.1x WinXP and cached Passwords.

    Michael King, Apr 25, 2005, in forum: Wireless Networking
    Michael King
    Apr 25, 2005
  3. =?Utf-8?B?bWlrZQ==?=


    =?Utf-8?B?bWlrZQ==?=, Oct 10, 2005, in forum: Wireless Networking
    Oct 11, 2005
  4. Axl
    Sep 29, 2003
  5. Christian Dornes

    Migrate Saved Passwords?

    Christian Dornes, Dec 3, 2003, in forum: Firefox
    Christian Dornes
    Dec 4, 2003

Share This Page