Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
Re: How many characters to make Winzip AES 256 unbreakable?
The question originally raised was what strength a password should have.
It was raised in the context of a random string drawn from a character
pool. The question was answered.
How to store such a password is an entirely different question. Human
beings, with rare exceptions, are very poor at remembering long strings
of random characters. But that human limitation does not make the
password itself a whit weaker. Moreover, accomodating that human
limitation is a very poor reason for shortening and weakening the
password. Compounding weaknesses is poor strategy.
There are a number of ways of addressing the problem, including secure
storage and passphrases. Passphrases are especially attractive since
human beings are remarkably good at remembering structured information
such as phrases or sentences, even nonsense ones. Using a rough median
estimate of the "Shannon entropy" of ordinary English as 1.2
bits/character, a sentence of about 200 characters should have strength
equivalent to AES 256. The sentence should not, of course, be drawn from
a book or novel, especially popular ones. Sentences of the form (but
longer than) "A purple aardvark cavorts in a grotto of kumquat rinds."
will do nicely.
PS The ability of folks to memorize verbatim even long pieces of
structured information is illustrated by how many folks can recite the
Lord's prayer by heart.
PPS But all this is addressing the security of the *system* not the
password. A valid, if broader, question, but not the question originally