> Mitigation of this risk is to use, as long as practical, strong > pre-shared keys, and to change them frequently. In Cisco IOS software, > the PSK can be up to 128 characters in length. According to some > estimates, one character carries from 1.3 to up to 4 bits of entropy. > This means that the password can have, at maximum, anywhere from 166 > to 512 bits of entropy. The length of the PSK should be determined > by your security policy. Just an interesting note about the above comment. By generating 93 bytes of "cryptographic calibre" randomness, and then base64 encoding it, you will have a password that has 744 (93*8) bits of entropy, but is 128 bytes long. If a more efficient encoding mechanism is used (one that uses the full valid character set on a cisco, which I don't know personally) a larger key could potentially be generated. If a strong key such as the one described above is used, according to some estimates, this will take a _very_ long time to brute force. Cheers, Derek
