[ale] OT - making really strong pass phrases - was New encryption technology using a piece of paper

Ron Frazier atllinuxenthinfo at c3energy.com
Tue Sep 6 20:27:42 EDT 2011


Michael W.,

OK.  I'm impressed.  Assuming I did the math right, crack time is 98 
thousand years with a 1000 pc botnet.

You've pretty much convinced me to use long simple pass phrases if I 
have a choice, unless the website or application won't accept it.

Thanks for the info.  Thanks also to Michael T. and others who joined in 
the discussion.

Here are some numbers I thought everyone might like to consider.  
Estimated offline crack time based on 1000 pc botnet running at 100 
trillion guesses per second.  Using a 2048 word lexicon and simple pass 
phrase, giving 11 bits of entropy / word.  Bigger answers are all in 
days.  To get these numbers (in days), take the power of 2 (# of 
permutations) and divide by 8.64 x 10^18.

2 words - 2^22 permutations - 42 NANOSECONDS
3 words - 2^33 permutations - 86 MICROSECONDS
4 words - 2^44 permutations - 176 MILLISECONDS
5 words - 2^55 permutations - 360 SECONDS
6 words - 2^66 permutations - 8.54 days
7 words - 2^77 permutations - 17.49 thousand days = 47.92 years
8 words - 2^88 permutations - 35.82 million days = 98.14 thousand years
9 words - 2^99 permutations - 73.36 billion days = 200.98 million years

My take away from this is: if you want protection from a botnet, don't 
even consider a pass phrase less than 6 words if using a 2048 word 
lexicon.  If you only want protection from a fast attack by a single 
machine or small GPU array, multiply these crack times by 1000.  Pass 
phrases 5 words and less for this purpose are almost worthless.

Sincerely,

Ron


On 9/6/2011 5:17 PM, Michael H. Warfield wrote:
> Ah...  That's the whole point.  Yes you can go down this road and add
> complexity (and misery) to the process but you can accomplish the same
> task by adding words that are easy to read and process and much easier
> to support.
>
> Do the math again for 8 words.  88 bits of entropy.
>
>    

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list