Re: Safe password?
- From: "giorgio.tani" <giorgio.tani@xxxxxxxx>
- Date: 28 Dec 2005 08:33:56 -0800
> I use an encryption program that uses AES-256 as its encryption
> algorithm but only allows passwords with a maximum length of 16
> characters. Is it possible to create a safe password with only 16
> characters for this encryption type?
Hi, IMHO it's quite hard that an user would remember easily a 16
character password randomly generated, also if from a reduced character
set.
On the other side, it's quite probable that if it's the user that is
requested to chose the password, he/she will chose a trivially
guessable one.
The keyspace, expecially in the second case, would be far from the one
of AES-256 and the system could be brute forced with an effort very
lower than bruteforcing an AES 256 implementation that uses the wole
keyspace, however this fact alone is not a mandatory reason to "reduce"
the encryption to an AES-128.
I would rather enforce the application's capability to exploit the AES
256 keyspace, in example AFAIK you have two ways:
- you may let the user enter long sentences and hash it (with a
collision resistent hash) to a random key of the length you desire;
- you may use a two factor authentication "something you have plus
something you know" generating a random keyfile, that the user will
have to manage in a secure way, plus a traditional password
authentication, that the user have to remeber (and here you can
implement the same suggestion of the first point of letting the user
type a long passphrase and then hash it to the length you desire).
.
- Follow-Ups:
- Re: Safe password?
- From: Unruh
- Re: Safe password?
- References:
- Safe password?
- From: paul_wary
- Safe password?
- Prev by Date: Re: Can you crack this
- Next by Date: Re: What's wrong with this RC4?
- Previous by thread: Re: Safe password?
- Next by thread: Re: Safe password?
- Index(es):
Relevant Pages
|
