<[EMAIL PROTECTED]> wrote: > What is the difference between secret key and secret password in terms of > why it would be more secure? Is it just a matter of character length? > -----Original Message----- > From: [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] On Behalf Of Peter McNabb > >use his root access to grab my key out of my home directory and > > log into my home machine? What happened to that fundamental > > difference in security? Joe didn't even need a top-secret super > > high-powered NSA key-cracking machine! >
One difference is that key loggers are not as much of a danger when you have a stored key, just people with control over a machine and read access to your key. Under brute force conditions, I suspect the difference between a binary key and a password is a question of randomness and bit density. A 1024 bit key takes full advantage of it's size, whereas a password only uses 5 or 6 bits of every byte to store characters people actually type and use. binary key 1024 / 8= 128 or 1024 bits of randomness in 128 characters/bytes equivalent lower case key (plus numbers) 1024 / 5 random bits per character ~= 1024 bits of "randomness" in 205 characters double characters with capital letters and some symbols 1024 / 6 random bits per character ~= 1024 bits of "randomness" in 171 characters So yes, passwords are almost as secure, as long as they are random and longer than it is feasible to type. Who here would bother with a strong 42 character pass phrase (roughly equivalent to a 256 bit key)? (You have permission to refute and ridicule my math.) As it stands, most passwords are crackable by a sophisticated password cracker using a language appropriate dictionary and adding common obfuscations. This is the disadvantage of passwords in general. incidentally, a 1024 bit number is roughly equivalent to a decimal integer of 306 digits. Brute forcing all such numbers at 1 second for each exchange (how does one make sure ssh requests must be a second apart?) would take 10^292 years. Scott K.
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/mailman/listinfo/uug-list
