Re: How many characters to make Winzip AES 256 unbreakable?

TwistyCreek <anon@xxxxxxxxxxxxxxx> wrote in news:5CLVJIKD38851.6280902778

Arthur T. wrote:

In Message-ID:<Xns97C2C5EBF7A9764A18E@xxxxxxxxx>, Zak
<duff@xxxxxxxxxxxxxx> wrote:

If I use a password made up of ordinary characters (A-Z, a-z, 0-9)
no specials then how many characters do I need to use to make AES 256
uncrackable by a brute force attack?

Well, to make your password not the weak point, you need 43
totally random characters.

<snip accurate math>

Which would more often than not make your password considerably weaker
than something like Diceware or a "random pronounceable" password of
shorter length because in the real world nobody is going to remember 43
totally random characters. That means they'll write it down, or secure
with something a lot weaker like Password Safe and "mydogsname" as a
master password. Or inversely, use it to secure all other "lesser"
passwords which would all be compromised by one breach.

Real world scenarios dictate more "rational" passwords, and sufficient
physical security. Or the whole thing usually breaks horribly. :(

The question originally raised was what strength a password should have.
It was raised in the context of a random string drawn from a character
pool. The question was answered.

How to store such a password is an entirely different question. Human
beings, with rare exceptions, are very poor at remembering long strings
of random characters. But that human limitation does not make the
password itself a whit weaker. Moreover, accomodating that human
limitation is a very poor reason for shortening and weakening the
password. Compounding weaknesses is poor strategy.

There are a number of ways of addressing the problem, including secure
storage and passphrases. Passphrases are especially attractive since
human beings are remarkably good at remembering structured information
such as phrases or sentences, even nonsense ones. Using a rough median
estimate of the "Shannon entropy" of ordinary English as 1.2
bits/character, a sentence of about 200 characters should have strength
equivalent to AES 256. The sentence should not, of course, be drawn from
a book or novel, especially popular ones. Sentences of the form (but
longer than) "A purple aardvark cavorts in a grotto of kumquat rinds."
will do nicely.


PS The ability of folks to memorize verbatim even long pieces of
structured information is illustrated by how many folks can recite the
Lord's prayer by heart.

PPS But all this is addressing the security of the *system* not the
password. A valid, if broader, question, but not the question originally