You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2011-01-13 09:40:37
- tpolich
- Member
- Registered: 2009-08-07
- Posts: 44
Quick Question about Encryption
Hello everyone I just wanted to double check something before I implement it. In a real world scenario where the attacker starts with zero knowledge of your encryption does a 64 character passphrase of completely random characters preform any better then a 64 character passphrase of say 4 or 5 characters each repeated several time?
Last edited by tpolich (2011-01-13 09:41:26)
Offline
#2 2011-01-13 10:11:17
- dyscoria
- Member
- Registered: 2008-01-10
- Posts: 1,007
Re: Quick Question about Encryption
Yay maths!
Assuming you're making use of uppercase and lower case letters, numbers and symbols (which for argument's sake we'll say are 100 different characters altogether) it's certainly beyond any technology to brute force 100^64 (1 x 10^128). This gives "MATH ERROR" on my calculator. You don't need a calculator for this, but just to demonstrate that this number is friggin huge.
I think the recommendation at the moment is >=12 character passwords (of upper/lower/numbers/symbols), which gives number of passwords 1 x 10^24. If you are only using 5 characters, the number of possible passwords is 100^5 (1 x 10^10) (well a little more because you can have different numbers of repeats of this sequence). This is much smaller than the above!! If the attacker knows which 5 keys you are repeating (e.g. if they were standing nearby), their life is alot easier. Number of passwords now is 5^5 (3125) (again, a little more because of sequence repeats). If the attacker doesn't know the length of your password or the 5 characters used (likely), they still have a lot less passwords to brute force if they just try repeating combinations of 3 or 4 or 5 characters.
So basically, a passphrase (of any length) with a repeating combination of 5 letters is not really any more secure than a 5 letter passphrase. It's like saying abcdeabcdeabcdeabcdeabcde is much more secure than abcde (it isn't).
Of course this is all much ado about nothing if nobody is really bothered to hack your encryption. I would imagine an attacker would only do so if there were good reasons to believe there is something valuable contained inside. It would be a waste of time/resources otherwise. If you just want to stop a regular local attacker from hacking your hard drive, I'd just go with a 15ish character password that is completely random (1 x 10^30). Faster to type and it doesn't have the weakness of repeated characters I mentioned above. Someone hanging around would quite easily be able to spot what the 5 characters are, but then again, if someone has local access to your computer, it's easy enough to install a hardware keylogger. If someone has physical access to your computer and is determined, there's not much you can do to stop them.
DISCLAIMER: my maths may be entirely wrong 
I just thought this would be fun to do!
Last edited by dyscoria (2011-01-13 10:32:56)
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline
Pages: 1