> From: [email protected] [mailto:[email protected]]
> On Behalf Of William J. Robbins
>
> (And that's based on
> this: https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_meas
> ure_of_password_strength
> using the Alphnumeric character value of 5.954, Would be some higher using
> special characters as one should)
> If I'm encrypting a drive I'd think a decent passphrase would meet/exceed 42
> characters. Something like: Dammit Jim, I'm a doctor not a bricklayer!
To attack your password in a situation such as you described above, an attacker
only needs to learn (or guess) that you used some sort of phrase instead of
random characters, and they won't need to attack random characters anymore.
They'll attack patterns of words, which is a *far* smaller space to attack,
considering you have only 8 words in there. 8 random words from the space
including unusual words and proper nouns and stuff, gets you around 104 bits.
Throw in some common substitutions such as "d0ctor" and you gain a little bit,
but they're predictable, unless they're random. In fact, *all* the characters
are predictable unless they're random.
I emphasize, number of characters is only a measure of entropy, if they're
randomly selected by a machine, and then you memorize them without any
modification. The measure of entropy in your password is measured by the
number of guesses an attacker would have to work through in order to guess your
pass. As soon as you start making modifications such as "Gpu7mvrDZ is too hard
to type, I'm going to make it GPU7mvrDZ" the attack space becomes smaller,
based on predictions of human behavior.
> But to get 256 bits of entropy is only around 42 characters isn't it?
To answer this kind of stuff, I like wolframalpha.
Alphanumeric, mixed case, means 26*26*10 possibilities for each character.
log2((26*26*10)^21)
If you randomly choose 21 characters = 267 bits. (20 chars is only 254 bits).
Here's an example of what the 21 char password would look like:
omEzmGpu7mvrDZbYYPM4Da
Yes, you can memorize something like that, with some effort. But you certainly
cannot expect it to be common practice.
They have to be *random* characters. No acronyms, nothing that reflects the
frequency of letters occurring in English, etc. If you're not selecting them
randomly, you're reducing the space you select your password from.
Also, in this: https://code.google.com/p/randchars/ There is a 2264 list of
words. log2(2264^23) = 256 bits. So 23 random words would give you 256 bits
entropy...
suggest-pot-live-complaint-flood-mouth-bless-and-sauce-anger-mineral-discussion-point-gallon-notebook-wreck-mercy-drop-cousin-absence-other-ocean-sacred
You could use a randomly generated 256 bit password like that. It might be
easier to memorize than the random characters.
> And if you are doing a home PC not on a domain, the only
> storage of the recovery key is where you put it on completion. I've seen
> folks screen shot it, print it off, etc.
Good point. Recovery key that was initially generated randomly is only as
secure as the security around your backup copy of that key. The truecrypt
recovery media is equally strong as the truecrypt volume itself - which is as
strong as your password. With bitlocker, you have several options, so it's
difficult to analyze the security of your backup keys. If stored in Active
Directory ... Well, AD is itself very secure if well configured. But lots of
people don't configure it well. And if you take a screen shot, or copy text,
then it all depends on where you choose to save it...
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
