On 23/02/2017 13:51, Thibault Polge wrote:
The consequence is a serious reduction of the complexity of
brute-force attacks,
IMO, this is a non-issue.
Suppose each position in my password is taken from a set of N
possibilities, and then I tell you that my password is exactly 10
characters long.
Indeed, that means you don't have to brute-force all the 1 to 9 digit
passwords.
But (N^1 + N^2 + N^3 ... + N^9) is far smaller than N^10; approximately
N times smaller.
Hence the saving in brute force is a factor of 1/N. If I'm using base64
passwords then N=64 and I've saved you about 1/64th of the total work,
or less than 2%.
Not telling you my password length is a form of security through
obscurity. The strength of the password comes from its length and its
randomness - not from keeping its length secret.
In any case: by the time I've added metadata to passwords on subsequent
lines (URLs, usernames, comments) you're unlikely to get any dependable
info about my password length from the gpg file length.
Regards,
Brian.
_______________________________________________
Password-Store mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/password-store
