Home Forums SQLServerCentral.com Editorials How Many Passwords? RE: How Many Passwords?

  • March 17, 2014 at 9:12 am

    #1697686

    I've got some hundreds of passwords total, mostly in http://keepass.info/ after going into File, Database Settings, Security, hitting the "1 second delay" option under "Number of key transformation rounds", and then multiplying that by a small number so it takes 2-12 seconds to process the password each time (more if using KeePassDroid[/url] or other mobile device ports), which adds quite a few bits of security. 40 million rounds is about 12 and a half bits more security than the default 6 thousand round, for example.

    Most of these are passwords with over 128 bits of entropy - 100% random passwords of length 20 to length 128 with as large a character set as the application allows. While it's probably overkill at length 128, since:

    01110101000010011000111101001110110110000010101111011000000111101101001111001100001010110111110011101001111110100101110110100101

    is a 128 bit password, and thus is more or less equivalent to 128 bit symmetric ciphers in terms of security, but if you use LastPass or KeePass or any other tool, creating a password generation profile or five is trivial. Any cryptographically random password with a keyspace of 2^128 (3.4E38) or greater is going to meet current security standards about as long as 128 bit symmetric encryption does.

    That's a cryptographically random

    128 character binary password

    39 character numeric only password

    28 character all lower case password

    25 character lower + numeric password

    23 character lower case + upper case

    22 character lower + upper + numeric password

    21 character lower + upper + numeric + symbols over numeric password

    20 character lower + upper + numeric + 32 symbols password

    18 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

    Biometrics are interesting, but what do you do after someone steals them? Get new fingerprints/retinas? Passwords, at least, you can change.

    RSA and other TOTP tokens are a good idea, but they can be compromised at the root[/url], so the onus is still on users to have solid passwords.

    The only answer I have right now is a password manager with a truly strong cryptographically random password (just start using it regularly; your fingers will remember after a few painful weeks).

    Be aware, if you ever type that password manager password in to some other site, then anyone who's ever taken a copy of it and gets that password can open it up.

    Note also that pieces of paper in your wallet/purse aren't that bad an idea - paper out of the open isn't subject to bulk collection/data breaches, and most of us are reasonably good at protecting our wallets/purses most of the time, assuming low level adversaries.

    P.S. If you want a less secure but still reasonable 96 bit (7.9E28) password:

    That's a cryptographically random

    96 character binary password

    29 character numeric only password

    21 character all lower case password

    19 character lower + numeric password

    17 character lower case + upper case

    17 character lower + upper + numeric password

    16 character lower + upper + numeric + symbols over numeric password

    15 character lower + upper + numeric + 32 symbols password

    13 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

    P.P.S. If you want a borderline/not strong 80 bit (1.2E24) password:

    That's a cryptographically random

    80 character binary password

    25 character numeric only password

    17 character all lower case password

    16 character lower + numeric password

    14 character lower case + upper case

    14 character lower + upper + numeric password

    13 character lower + upper + numeric + symbols over numeric password

    13 character lower + upper + numeric + 32 symbols password

    11 character lower + upper + numeric + 32 symbols + 81 high ASCII character password