On 5/6/20 7:32 PM, Kent Borg wrote:
16-random characters? Which? Let's assume just lower case ASCII
alphabetics.
26^16 is 43608742899428874059776L
That is a big number. (Add uppercase and numbers and other printable
stuff...and 52**16 and 96**16 are both crazy bigger.)
If your attacker started brute forcing that lowercase password at the
start of the universe, and had been checking 100K guesses per second
ever since, your attacker would be finishing up any millennium now.
What is the point?
Encryption keys are different. There is no rate-limiting (nor remote
server crashing under your load), you can copy the encrypted file across
as many machines as you like.
- The rate at which you can test a password is determined by some
external sever you don't control.
- The rate at which you can test an encryption key is limited only by
your budget.
In 1998 the $250,000 EFF's Deep Crack broke DES (56-bits) in under
3-days. (That was an impressive feat.) Put a $10,000,000 machine on it
and that would be under 2-hours. Have an NSA-style budget and
$100,000,000 key cracking machine seems likely, and it takes less than
10-minutes.
These numbers are way out of date, but the principle still stands: Once
you have a copy of the encrypted data you can divide up the work and do
it in parallel.
To defend against a brute force search, make the encryption key longer.
AES is 128-bits or 256-bits. But your passphrase gets turned into the
real key, and if it is "password1234" it can be one of the first ones tried.
Make encryption passphrases crazy, nasty, un-typeable monsters to really
be safe.
-kb
_______________________________________________
Discuss mailing list
Discuss@lists.blu.org
http://lists.blu.org/mailman/listinfo/discuss
