[Cryptography] Passwords are dying - get over it
Lars Luthman
mail at larsluthman.net
Mon Dec 23 13:10:26 EST 2013
On Mon, 2013-12-23 at 10:10 -0500, Bill Cox wrote:
> The bad news: even the 0.1% of us who bother to add key stretching to our
> ssh private key's only get 2048 rounds of AES-256, which wont even slow
> down an ASIC based cracker. All this does is provide security against
> hackers with graphics cards, and not much security at that. Frankly, this
> protection is so dismal, I give up. Whoever is influencing TrueCrypt and
> OpenSSL into hard-coding 2048 worthless rounds of key stretching designed
> to be efficient on ASICs wins.
But how much key stretching do you want? Even with a billion rounds you
don't add more than ~30 bits of work, which is less than what you get by
adding three more words to a Diceware-like passphrase using a dictionary
with 2000 words.
--ll
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131223/60d1d928/attachment.pgp>
More information about the cryptography
mailing list