Discussion in 'Computer Security' started by Borked Pseudo Mailed, May 12, 2009.


    How long should my passphrase be?

    I recommend five words for most users.

    In their February 1996 report, "Minimal Key Lengths for Symmetric
    Ciphers to Provide Adequate Commercial Security" a group of
    cryptography and computer security experts -- Matt Blaze, Whitfield
    Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric
    Thompson, and Michael Weiner -- stated:

    "To provide adequate protection against the most serious threats...
    keys used to protect data today should be at least 75 bits long. To
    protect information adequately for the next 20 years ... keys in newly-
    deployed systems should be at least 90 bits long."

    A five-word Diceware passphrase has an entropy of at least 64.6 bits;
    six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits,
    four words 51.6 bits. Inserting an extra letter at random adds about 10
    bits of entropy. Here is a rough idea of how much protection various
    lengths provide, based on updated estimates by A.K. Lenstra (See Needless to say, projections for the far future have
    the most uncertainty.

    * Four words are breakable with a hundred or so PCs.
    * Five words are only breakable by an organization with a large
    * Six words appear unbreakable for the near future, but may be
    within the range of large organizations by around 2014.
    * Seven words and longer are unbreakable with any known technology,
    but may be within the range of large organizations by around 2030.
    * Eight words should be completely secure through 2050.

    Pick your passphrase size based on the level of security you want.

    Another way to think about passphrase length is to consider what
    security precautions you take to physically protect your computer and
    data. Here is a list of possible passphrase lengths and commensurate
    security precautions. The list of precautions is not intended to be
    complete. I am not trying to discourage anyone from using longer
    passphrases if they feel up to it, but the added strength without
    comparable physical security for your computer is of limited value.

    4 words
    * You would be content to keep paper copies of the encrypted
    documents in an ordinary desk or filing cabinet in an un-secured office.

    5 words
    * You need or want strong security, but take no special precautions
    to protect your computer from unauthorized physical access, beyond
    locking the front door of your house or office.

    6 words
    * Your computer is protected from unauthorized access at all times
    when not in your personal possession by being locked in a room or
    cabinet in a building where access is controlled 24 hours a day or that
    is protected by a high quality alarm service.
    * Routine cleaning and building maintenance people do not have
    physical access to your computer when you are not present.
    * You regularly use an up-to-date anti-virus program purchased off
    the floor at a computer store.
    * You have verified the signatures on your copy of PGP or your
    installed Hushmail 2 client.
    * You never run unverified downloaded software, e-mail attachments
    or unsolicited disks received through the mail on your computer.

    Note: However I do encourage using six or more words on systems that
    use the passphrase directly to form a transmission key. Such systems
    include Hushmail, disk encryption (e.g. Apple's FileVault),
    Ciphersaber, and WiFi's WPA.

    7 words
    * You take all the steps listed under 6 words above, and:
    * Your computer is kept in a safe or vault at all times when it is
    not in sight of you or someone you trust.
    * Your computer was purchased off the floor at a randomly selected
    computer store.
    * All the software used on your computer was distributed with a
    strong, independently verified electronic signature that you checked,
    or was purchased off the floor in a randomly selected computer store
    * Your computer has never been repaired or upgraded by anyone you
    do not trust completely.
    * All disks and tapes used with your computer are either kept in a
    safe or physically destroyed.
    * You take precautions against audio and video surveillance when
    entering passphrases.
    * You change your PGP encryption key regularly (at least once a
    * You have taken precautions against TEMPEST attacks. See the
    chapter "Commonsense and Cryptography," in Internet Secrets, from IDG
    Books Worldwide, for a discussion of what this involves.

    For people seeking long term data protection (greater than 10 years) I
    would recommend adding one word to the above suggestions.
    Borked Pseudo Mailed, May 12, 2009
    1. Advertisements

  2. Borked Pseudo Mailed

    ©Ari® Guest

    You just shot your load all over your face with this one, huge, major

    Hushmail has been severely compromised for ages.
    ©Ari®, May 12, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.