## max. length of master PW

Help
Peter
2013-10-27
2013-10-29

• Peter
2013-10-27

Hi,
I wonder what the maximum length of the masterPW would be. Is there a "useful" upper limit e.g. due to the encryption algorithm for the database?
Greetings
pepe

• Rony Shapiro
2013-10-28

Hm,

I'd guess the limiting factor would be the input buffer of the line where you input the passphrase, IIRC, ~32K characters. The passphrase is fed into an algorithm that can work with (again, from memory) ~4 billion (2^32) bytes, "hashing" them into a 256 bit key.

As to "useful", I'd say the longest you can practically remember and type is best. Certainly no shorter than 12 characters, not a word in any dictionary, not a name or number that's associated with you (e.g., phone, car license, etc.).

• Don Walker
2013-10-28

If the passphrase is being hashed into a 256 bit key, wouldn't that suggest that there isn't much point to having a passphrase longer than 32 8-bit characters?

• Rony Shapiro
2013-10-28

No. In short, because there are many (many!) more 256 bit random values (2^256) than there are of 32 random characters (if there are, say, 80 different characters, that's 80^32). Roughly the difference between 10^77 and 10^61, resp. That is, about ten million billion times more binary 256 bit keys than combinations of 32 random characters.

• Don Walker
2013-10-28

Thanks for explaining that. A couple more questions:

1. How big a passphrase can you use before you get a significant risk of collisions with the 256 bit hash?

2. Would a brute force attack need to use more than 32 characters to guarantee success (assuming that it could input the full 8-bit range for each character)?

• Rony Shapiro
2013-10-29

1. The larger your passphrase, the smaller your chance of two different passphrases having the same hash.
2. Certainly.

Before diving into this further, Let's play with the numbers a bit. Consider even the smallest number we've discussed: 10^61. Assuming you had a million (10^6) computers at your service that could try one combination every microsecond (10^-6), that's 10^12 tries per second, which would take "only" 10^49 seconds (10^61/10^12), which is ~10^41 years. Compare this to the age of the universe: ~10^31 years...