[Cryptography] Passwords (Smallest feasible work factor today?)
Peter Fairbrother
peter at tsto.co.uk
Sat Sep 10 09:19:58 EDT 2022
On 07/09/2022 16:20, Phillip Hallam-Baker wrote:
> Folk, what are people's thoughts on the smallest work factor that can be
> considered acceptable today? I am thinking 2^80.
Yep, if brute-force is the attack model and if QC isn't involved. But
see below.
> I know there are attempts to make hashing harder and I have nothing but
> contempt and scorn for such efforts in futility.
I don't get that. If you have to hash
(plus-add-a-unique-identifier-to[22]) a passphrase 2^40 times, and you
have a passphrase with 40 bits of entropy, for a brute force attack is
that not the same amount of work as a standard single-hash search on a
2^80 passphrase?
Of course that ignores the cost of trial attempts ... but I can't think
of any practical situation where 2^40 attempts is < 2^40 times easier
than 2^80 attempts, and in general you can adjust the cost of a hash to
equal the cost of an attempt.
[22] which afaict is QC resistant
> FIDO/Passkey
is pants.
> First up, we need a standards-based password vault
nonononono. I want to control my passwords myself, not some "provider"
As for myself, I use five remembered passwords which are more than 20
bits of entropy long - for my two banks, Paypal and two others. I don't
store those anywhere (though eBay sometimes keeps me logged in to Paypal
against my wishes).
The rest are handled by the password manager in my desktop browser. _I
don't need_ strong authentication for the vast majority of them, and the
physical security and a high entropy autogenerated password is enough
for eg my not-very-confidential medical records.
I don't care whether those passwords are too short and easily broken.
Most passwords, like the TV example you gave, are there to protect the
website, largely from lawsuits, but not to protect me.
To remember those passwords I might need for multi-device use, I add to
or change the website or whatever name in some easily memorable way, and
use that. If that doesn't give enough entropy, well tough luck on the
website, but I don't care.
I could copy passwords from one device to another. Generally this is
pretty easy, and I usually carry an all-but music-and-videos desktop
backup on a USB stick on my keyring anyway. However I don't really want
my passwords on my phone, as other people have access to it.
Or else I could have two or three accounts - phone, tablet, desktop -
with different passwords. Sometimes linked, mostly not. Who cares as
long as it works?
-- Peter Fairbrother
10th law: "Security is a Boolean"
Either it will have worked, or it won't. It can be hard to see which
from the present perspective...
More information about the cryptography
mailing list