On Sat, Jul 07, 2001 at 03:41:13AM +0200, peter k. wrote: > > > i saw that in the readme: "Password string has a minimum length of 20 > > > characters." > > > aren't 10 byte passwords enough? i dont like having to learn 20 byte > > > passwords =( > > No, 10 byte passwords are NOT enough. Given that they are > > printable ascii characters and subject to a variety of other entropy > > reducing issues, a password "byte" is probably only worth about 6 > > bits of entropy, maybe (probably) less. That gives you only about > > 60 bits of strength against brute force. Not enough... > > Rule of thumb... (although all "rules of thumb are bad since > > they lead to guessible patterns.) Pass WORD is bad. Pass PHRASE is > > better. Make it several words with number substitutions and odd > > punctuation. Make at LEAST one word misspelled, especially if the > > mispelling is one of the numbers. (Example: Wizard -> W122@xx!). > > The sillier (or obnoxious, or obscene) the better (easier to remember, > > harder to guess). Basic mnemonics. You won't forget and > > 1t_wi11-b3=@xxxxxxx)H! t0 gu3ss..! (it will be a bitch to guess) :-) > well, im usually using passwords like "4wj8s06bj2" or "7e1t91436g", not any > english or whatever words!! > so if i would have to learn a 20 byte password in that format it would be > like "v1872cqad730lbsq53i8" or "0v7g25y0mp49n26yrntb" and learning that isnt > easy, is it? ;) But that still doesn't buy you as much entropy as using a longer passphrase that is mnemonic and easier to remember. Even if you ASSUME that you can use totally random characters, that only approaches 7 bits per character (but can never reach it) and is still less than the strength of a well formed 20 character mnemonic pass phrase that's easier to remember. BTW... Count yourself LUCKY! The $#@$#@$#@ ppdd encryption package requires TWO 24-character passphrases! That package has some major advantages over the loopback packages like this, because it encrypts a "session key" (a random key that you don't really control) which allows for a "master key" and a "working key", each of which can decrypt the session key that unlocks the drive. Another advantage to that package is encrypting the root drive (anyone work out how to do that with this package?). Now... Note... That's two 24-character passphrases for EACH master key and each working key. You have to enter BOTH passphrases of either the master key or the working key to unlock the drive. I'm looking at taking advantage of the two passphrase system to generate a boot CD with one passphrase and a "smart card" with the other passphrase, requiring that you have both to boot the system or even access the root file system (the PIN on the smart card makes it even tougher to bust even with the exposed passphrase on the CD). The MAJOR disadvantages to his system is some pedantic requirements on block sizes, restriction to ext2(3) and major problems with the 2.4.x kernels. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
