[Cryptography] Passwords (Smallest feasible work factor today?)

Peter Fairbrother peter at tsto.co.uk
Sat Sep 10 09:19:58 EDT 2022 

On 07/09/2022 16:20, Phillip Hallam-Baker wrote:
> Folk, what are people's thoughts on the smallest work factor that can be 
> considered acceptable today? I am thinking 2^80.

Yep, if brute-force is the attack model and if QC isn't involved. But 
see below.


> I know there are attempts to make hashing harder and I have nothing but 
> contempt and scorn for such efforts in futility. 

I don't get that. If you have to hash 
(plus-add-a-unique-identifier-to[22]) a passphrase 2^40 times, and you 
have a passphrase with 40 bits of entropy, for a brute force attack is 
that not the same amount of work as a standard single-hash search on a 
2^80 passphrase?

Of course that ignores the cost of trial attempts ... but I can't think 
of any practical situation where 2^40 attempts is < 2^40 times easier 
than 2^80 attempts, and in general you can adjust the cost of a hash to 
equal the cost of an attempt.

[22] which afaict is QC resistant


> FIDO/Passkey

is pants.

> First up, we need a standards-based password vault 

nonononono. I want to control my passwords myself, not some "provider"



As for myself, I use five remembered passwords which are more than 20 
bits of entropy long - for my two banks, Paypal and two others. I don't 
store those anywhere (though eBay sometimes keeps me logged in to Paypal 
against my wishes).

The rest are handled by the password manager in my desktop browser. _I 
don't need_ strong authentication for the vast majority of them, and the 
physical security and a high entropy autogenerated password is enough 
for eg my not-very-confidential medical records.

I don't care whether those passwords are too short and easily broken. 
Most passwords, like the TV example you gave, are there to protect the 
website, largely from lawsuits, but not to protect me.


To remember those passwords I might need for multi-device use, I add to 
or change the website or whatever name in some easily memorable way, and 
use that. If that doesn't give enough entropy, well tough luck on the 
website, but I don't care.

I could copy passwords from one device to another.  Generally this is 
pretty easy, and I usually carry an all-but music-and-videos desktop 
backup on a USB stick on my keyring anyway. However I don't really want 
my passwords on my phone, as other people have access to it.

Or else I could have two or three accounts - phone, tablet, desktop - 
with different passwords. Sometimes linked, mostly not. Who cares as 
long as it works?



-- Peter Fairbrother

10th law: "Security is a Boolean"

Either it will have worked, or it won't. It can be hard to see which 
 
                   from the present perspective...

More information about the cryptography mailing list