Steven D'Aprano <ste...@remove.this.cybersource.com.au> writes: > Given a random six character password taken out of an alphabet of 52 > characters, it takes over nine billion attempts to brute force it. > Reducing the alphabet by 50% cuts that down to less than 200 million. To > make up for that loss of 1 bit of entropy, you need two extra characters > in your password.
One extra character comes pretty close (within 1.3 bits). Even two extra chars is probably (subjective) easier for a user to deal with than a completely random mixture of upper/lower case. You don't get the extra bit per character if that distribution is anything other than random, of course. For something like a web password (each guess takes a server hit), where the resource guarded is not very valuable, 5 chars is probably enough for most purposes. For something like an encryption key subject to offline attacks, 6 mixed-case characters will barely slow a real attacker down. As before, my suggestion is still diceware. I've used random alphanumerics in the past but they're too big a hassle, they have to be written down, etc. And of course, if you're doing something serious, use a hardware token. -- http://mail.python.org/mailman/listinfo/python-list
