Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
I wonder what the maximum length of the masterPW would be. Is there a "useful" upper limit e.g. due to the encryption algorithm for the database?
TIA for your time
I'd guess the limiting factor would be the input buffer of the line where you input the passphrase, IIRC, ~32K characters. The passphrase is fed into an algorithm that can work with (again, from memory) ~4 billion (2^32) bytes, "hashing" them into a 256 bit key.
As to "useful", I'd say the longest you can practically remember and type is best. Certainly no shorter than 12 characters, not a word in any dictionary, not a name or number that's associated with you (e.g., phone, car license, etc.).
If the passphrase is being hashed into a 256 bit key, wouldn't that suggest that there isn't much point to having a passphrase longer than 32 8-bit characters?
No. In short, because there are many (many!) more 256 bit random values (2^256) than there are of 32 random characters (if there are, say, 80 different characters, that's 80^32). Roughly the difference between 10^77 and 10^61, resp. That is, about ten million billion times more binary 256 bit keys than combinations of 32 random characters.
Thanks for explaining that. A couple more questions:
How big a passphrase can you use before you get a significant risk of collisions with the 256 bit hash?
Would a brute force attack need to use more than 32 characters to guarantee success (assuming that it could input the full 8-bit range for each character)?
Before diving into this further, Let's play with the numbers a bit. Consider even the smallest number we've discussed: 10^61. Assuming you had a million (10^6) computers at your service that could try one combination every microsecond (10^-6), that's 10^12 tries per second, which would take "only" 10^49 seconds (10^61/10^12), which is ~10^41 years. Compare this to the age of the universe: ~10^31 years...