-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert J. Hansen wrote: > Faramir wrote: >> IIRC, once I saw somebody saying 128 bits is more than enough for a >> good passphrase. And that beyond that lenght, there was no real strengh >> gains... But maybe I am not recalling it correctly... > > This is something you've heard from a lot of people, probably, myself > included. 128 bits is enough until we get some science fiction > breakthroughs. > > Of course, the trick there is 128 bits _of entropy_, not 128 bits _of > passphrase_. Conservatively speaking, there are probably about 1.5 bits > of entropy per letter of English text, meaning you'd need about an > 80-char English passphrase to max it out. Introducing alphanumeric > characters, punctuation and the like will reduce this considerably. > >> Anyway, bruteforcing an 8 characters long SHA1 password, in a home >> computer, would take months... even using several home computers to > > Think 'centuries.' The RC5/64 project brute-forced a 64-bit cipher > using 18 months and a very large distributed computing system. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users
Measuring the strength of a randomly selected password Dear list readers I just found this article. http://www.redkestrel.co.uk/Articles/RandomPasswordStrength.html Measuring the strength of a randomly selected password Calculating the entropy of a password is here well explained, I don't know if it is mathematically correct, no proof is delivered, but it is easy to understand. The entropy of a randomly selected password is based on its length and the entropy of each character. The entropy of each character is given by log-base-2 the size of the pool of characters the password is selected from - see the formula below: entropy per character = log2(n) password entropy = l * entropy per character Where n is the pool size of characters and l is the length of the password. Thus the entropy of a character selected at random from, say, the letters (a-z) would be log2 (26) or 4.7 bits. The table below gives the entropy per character for a number of different sized character pools. Character Pool Available Characters (n) Entropy Per Character digits 10 (0-9) 3.32 bits case insensitive letters 26 (a-z) 4.7 bits case sensitive letters and digits 62 (A-Z, a-z,0-9) 5.95 bits all standard keyboard characters 94 6.55 bits So, from the table above, we can see that a 20 character password chosen at random from the keyboard's set of 94 printable characters would have more than 128 bits (6.55 * 20) of entropy. A password with this much entropy is infeasible to break by brute force (exhaustively working through all possible character combinations). === I use the formula y= log a base b a=b ^ y hence log a base b = ln(a) / ln (b) base e=2.71828182846.... in I table I used the log function with pase 10 which is irrelevant as long as I use the same base in the nominator as in the denominator. IIRC Denominator is down. The Characters in Unicode http://www.tbray.org/ongoing/When/200x/2003/04/26/UTF Unicode currently defines just under 100,000 characters, the entrophy would increase for a 20 character unicode passphrase to be 20 * 19.93 bits = 398.6 bits. here is my table Character pool Available characters (n) Entropy per character in unit bits digits 10 (0-9) 3.32192809 case insensitive letters 26 (a-z) 4.70043972 case sensitive letters and digits 62 (A-Z, a-z,0-9) 5.95419631 all standard keyboard characters plus blank 95 The 95 graphic ASCII characters, numbered 32 to 126 (decimal) 6.56985561 Unicode Unicode currently defines just under 100,000 characters, Unicode and the ISO/IEC 10646 Universal Character Set (UCS) have a much wider array of characters, 1000000 19.93156857 one unicode character has approx three times the entropy as one ascii character. If I have done my homework correct. 6.56985561 * 3.0 = 19.71 bits of entropy for one character I'd really like to see UTF-8 supported in GnuPG and be able to type some characters from my keyboard, and additionally select some cool unicode letters from a language only I know. use the clipboard and insert that into the passphrase. Or as in windows posible alt + unicode number. hence 20 unicode letters would then have an entropy of 398.6 bits. With only 7 unicode letters I reach an entropy of 7 * 19.93 = 139.5 bits Entropy if I have understood it correct. Can GnuPG accept UTF-8 Characters as passphrase input? Please? will additional UTF-8 unicode passphrase support increase the entropy according to my entropy calculations? Sincerely yours, Morten Gulbrandsen 主バイトホイットフィールド _____________________________________________________________________ Java programmer, C++ programmer CAcert Assurer, GSWoT introducer, thawte Notary Gossamer Spider Web of Trust http://www.gswot.org Please consider the environment before printing this e-mail! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) Comment: For keyID and its URL see the OpenPGP message header iEYEARECAAYFAkj+XwIACgkQ9ymv2YGAKVRyFACfWRndfNNckLrhHkTrXHQ0sfD6 vs4AoKtHvuQxUEj8O9mAk1lNUaJRxBQW =lSeC -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
