0

I remember Truecrypt putting pressure on you to have at least 20 characters, but doing some research..... it seems even 14 characters is good enough (using Caps, Non caps, numbers, special #'s, etc)

So my question is: Is a 14 character password safe enough for practical purposes? (Using A,a,1,!- Caps/Lowercaswe/Numbers/Special#'s) ex: 9(ax4$3#AZz22Z

It still seems it would take 204 million years to crack it according to: howsecureismypassword.net/

According to password.kaspersky.com/ it would take 327 centuries

According to bee-man.us/computer/password_strength.html 5107806 years using Base 64

Starzzzzz
  • 155
  • 3
  • 10
  • Yes, 14 characters is fine. – hft Sep 08 '18 at 00:12
  • Since you mention online password strength checkers, you probably want to read this Q&A: https://security.stackexchange.com/questions/185236/confused-about-using-a-password-that-would-take-centuries-to-break – Luis Casillas Sep 08 '18 at 00:25

1 Answers1

3

If (and a big if!) you choose the characters uniformly at random, from a set of 95, each choice independently from each other, then each of the 14 random choices has about 6.6 bits of entropy. (By very coarse math that's worth memorizing: uniform random choice out of 10 possibilities is about 3.3 bits; out of 100 possibilities is about 6.6 bits.)

So:

  • 6.6 bits/character * 14 characters = 92.4 bits.
  • 6.6 bits/character * 20 characters = 132 bits.

It seems that TrueCrypt's recommendation is grounded on a choice to use a 128-bit encryption algorithm like AES-128—20 printable ASCII characters is the shortest length whose maximum security can live up to the 128-bit security level of the application.

I would say that you should consider using their 20 character recommendation, but you could just as well seriously consider using 14. The Diceware Passphrase FAQ has an entry discussing recommended passphrase lengths for encryption, with advice that while no means definitive at least gives you some important perspective:

A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits, nine words 116 bits, ten words 129 bits. (Four words only provide 51.6 bits, about the same as an 8 character password made up of random ASCII characters. Both are breakable in less than a day with two dozen graphics processors.) Inserting one extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.kelength.com). Needless to say, projections for the far future have the most uncertainty.

  • Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)
  • Six words may be breakable by an organization with a very large budget, such as a large country's security agency.
  • Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.
  • Eight words should be completely secure through 2050.

Pick your passphrase size based on the level of security you want.

Also, this bit further down is definitely fun and good food for thought:

Another way to think about passphrase length is to consider what security precautions you take to physically protect your computer and data. Here is a list of possible passphrase lengths and commensurate security precautions. The list of precautions is not intended to be complete. I am not trying to discourage anyone from using longer passphrases if they feel up to it, but the added strength without comparable physical security for your computer is of limited value.

[...]

7 words

  • Your computer is protected from unauthorized access at all times when not in your personal possession by being locked in a room or cabinet in a building where access is controlled 24 hours a day or that is protected by a high quality alarm service.
  • Routine cleaning and building maintenance people do not have physical access to your computer when you are not present.
  • You regularly use an up-to-date anti-virus program purchased off the floor at a computer store.
  • You have verified the signatures on your copy of PGP or GPG, etc.
  • You never run unverified downloaded software, e-mail attachments or unsolicited disks received through the mail on your computer.

[...]

8 words

You take all the steps listed under 7 words above, and:

  • Your computer is kept in a safe or vault at all times when it is not in sight of you or someone you trust.
  • Your computer was purchased off the floor at a randomly selected computer store.
  • All the software used on your computer was distributed with a strong, independently verified electronic signature that you checked, or was purchased off the floor in a randomly selected computer store
  • Your computer has never been repaired or upgraded by anyone you do not trust completely.
  • All disks and tapes used with your computer are either kept in a safe or physically destroyed.
  • You take precautions against audio and video surveillance when entering passphrases.
  • You change your PGP encryption key regularly (at least once a year).
  • You have taken precautions against TEMPEST attacks. See the chapter "Commonsense and Cryptography," in Internet Secrets, from IDG Books Worldwide, for a discussion of what this involves.

I think these are perhaps a bit paranoid for most people (is the NSA or FSB out to get you?), but they do convey an important message: making your password super-strong has diminishing returns. It only does you so much good to have the strongest passphrase in the word if you're vulnerable to much easier attacks. That's how you'd justify the much more convenient 14-character password over the 20-character one.

Luis Casillas
  • 10,361
  • 2
  • 28
  • 42