Is this secure?
Paul Rubin
no.email at nospam.invalid
Wed Feb 24 02:58:30 EST 2010
Steven D'Aprano <steven at REMOVE.THIS.cybersource.com.au> writes:
> Given a random six character password taken out of an alphabet of 52
> characters, it takes over nine billion attempts to brute force it.
> Reducing the alphabet by 50% cuts that down to less than 200 million. To
> make up for that loss of 1 bit of entropy, you need two extra characters
> in your password.
One extra character comes pretty close (within 1.3 bits). Even two
extra chars is probably (subjective) easier for a user to deal with than
a completely random mixture of upper/lower case. You don't get the
extra bit per character if that distribution is anything other than
random, of course.
For something like a web password (each guess takes a server hit), where
the resource guarded is not very valuable, 5 chars is probably enough
for most purposes. For something like an encryption key subject to
offline attacks, 6 mixed-case characters will barely slow a real
attacker down.
As before, my suggestion is still diceware. I've used random
alphanumerics in the past but they're too big a hassle, they have to be
written down, etc.
And of course, if you're doing something serious, use a hardware token.
More information about the Python-list
mailing list