Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

max. length of master PW

Help
Peter
2013-10-27
2013-10-29
  • Peter
    Peter
    2013-10-27

    Hi,
    I wonder what the maximum length of the masterPW would be. Is there a "useful" upper limit e.g. due to the encryption algorithm for the database?
    TIA for your time
    Greetings
    pepe

     
  • Rony Shapiro
    Rony Shapiro
    2013-10-28

    Hm,

    I'd guess the limiting factor would be the input buffer of the line where you input the passphrase, IIRC, ~32K characters. The passphrase is fed into an algorithm that can work with (again, from memory) ~4 billion (2^32) bytes, "hashing" them into a 256 bit key.

    As to "useful", I'd say the longest you can practically remember and type is best. Certainly no shorter than 12 characters, not a word in any dictionary, not a name or number that's associated with you (e.g., phone, car license, etc.).

     
  • Don Walker
    Don Walker
    2013-10-28

    If the passphrase is being hashed into a 256 bit key, wouldn't that suggest that there isn't much point to having a passphrase longer than 32 8-bit characters?

     
  • Rony Shapiro
    Rony Shapiro
    2013-10-28

    No. In short, because there are many (many!) more 256 bit random values (2^256) than there are of 32 random characters (if there are, say, 80 different characters, that's 80^32). Roughly the difference between 10^77 and 10^61, resp. That is, about ten million billion times more binary 256 bit keys than combinations of 32 random characters.

     
  • Don Walker
    Don Walker
    2013-10-28

    Thanks for explaining that. A couple more questions:

    1. How big a passphrase can you use before you get a significant risk of collisions with the 256 bit hash?

    2. Would a brute force attack need to use more than 32 characters to guarantee success (assuming that it could input the full 8-bit range for each character)?

     
  • Rony Shapiro
    Rony Shapiro
    2013-10-29

    1. The larger your passphrase, the smaller your chance of two different passphrases having the same hash.
    2. Certainly.

    Before diving into this further, Let's play with the numbers a bit. Consider even the smallest number we've discussed: 10^61. Assuming you had a million (10^6) computers at your service that could try one combination every microsecond (10^-6), that's 10^12 tries per second, which would take "only" 10^49 seconds (10^61/10^12), which is ~10^41 years. Compare this to the age of the universe: ~10^31 years...