Re: Newbie question on encryption keys

From: Ertugrul Soeylemez <do-not-spam-me@xxxxxxxx>
Date: Wed, 11 Jul 2007 16:22:47 +0200

Mark Shroyer <usenet-mail@xxxxxxxxxxxxxxx> (07-07-11 05:56:32):

This is imprecise. 32 characters will by far not be enough for the
password to have 256 bits of entropy. Remember that users only use
a subset of all possible characters (and they shouldn't use them
all, because of localization issues).

In most cases one character of the password will have slightly less
than seven bits of entropy, because you don't type eight bit
characters, and you also don't type control characters.

Yes, you're right of course; by "32 random ASCII characters" I
actually meant 32 characters from all possible ASCII values 0-127,
printable or not. Just thought I'd leave out the discussion of
practical specifics in the interest of brevity.

The set of printable ASCII characters is a less-than-seven bit character
set, as you see directly from the fact that it contains only 95
characters (32..126). You need 39 completely random characters of this
kind to get (slightly more than) 256 bits of entropy.

You cannot include the non-printable subset, because there is no easy
and portable way to type them, especially in GUIs. Though, even
including the non-printables, you will still need 37 random characters
for 256 bits of entropy.

Regards,
Ertugrul Söylemez.

--
Security is the one concept, which makes things in your life stay as
they are. Otto is a man, who is afraid of changes in his life; so
naturally he does not employ security.
.

Follow-Ups:
- Re: Newbie question on encryption keys
  - From: Mark Shroyer

References:
- Newbie question on encryption keys
  - From: rohanm79
- Re: Newbie question on encryption keys
  - From: Mark Shroyer
- Re: Newbie question on encryption keys
  - From: rohanm79
- Re: Newbie question on encryption keys
  - From: Mark Shroyer
- Re: Newbie question on encryption keys
  - From: Ertugrul Soeylemez
- Re: Newbie question on encryption keys
  - From: Mark Shroyer

Prev by Date: Re: My PC was hit with lightning and now Microcenter is looking at it.
Next by Date: Re: My PC was hit with lightning and now Microcenter is looking at it.
Previous by thread: Re: Newbie question on encryption keys
Next by thread: Re: Newbie question on encryption keys
Index(es):
- Date
- Thread

Relevant Pages

Re: Intruder in my wireless network? / intrusion detection programs
... Password/phrase strength is defined in terms of entropy, ... The advantage of a passphrase of random real words is that it's ... characters to achieve the same level of entropy as a password of random ... James Bond and the NSA ARE NOT trying to hack your network. ...
(alt.internet.wireless)
Re: Intruder in my wireless network? / intrusion detection programs
... Password/phrase strength is defined in terms of entropy, ... The advantage of a passphrase of random real words is that it's ... characters to achieve the same level of entropy as a password of random ... "To provide adequate protection against the most serious threats... ...
(alt.internet.wireless)
Re: Intruder in my wireless network? / intrusion detection programs
... Password/phrase strength is defined in terms of entropy, ... characters to achieve the same level of entropy as a password of random ... But if sufficient extra characters are used a passphrase of ... "To provide adequate protection against the most serious threats... ...
(alt.internet.wireless)
Re: k-deterministic public-private key generation
... sufficient entropy and 2) be easy to remember. ... lower bound on length of 40 characters. ... words, a common word with random substitutions, etc., to the more ... public/private key pair. ...
(sci.crypt)
Re: Entropy and Equivalent Key Lengths?
... This increases to 4 bits of entropy if we allow case, ... > and special characters. ... best language models can compress text to 1.2-1.3 bpc. ...
(sci.crypt)