background preloader

Passwords

Facebook Twitter

The spin on passwords for AES. In Are AES-256 keys too Large?

The spin on passwords for AES

I discussed that 256-bit keys will fall short of their implied security when derived from passwords or embedded in protocols with other cryptography. To achieve the equivalent of 256-bit security users would need to select 40 character passwords at random, and protocols would need to employ RSA keys with at least 13,000 bits. At times 256-bit keys are just too big for their own good. Nonetheless AES-256 is being widely deployed since it conveniently lies at the intersection of good marketing and pragmatic security. In upgrading from AES-128 to AES-256 vendors can legitimately claim that their products use maximum strength cryptography, and key lengths can be doubled (thus squaring the effort for brute force attacks) for a modest 40% performance hit. Perhaps this reasoning prevailed at Adobe when they recently upgraded their document encryption scheme from AES-128 in v8 to AES-256 in v9.

The Spin Factor Key = PBKDF( salt, password, iteration count) Micro Spin. Kill the Password: Why a String of Characters Can't Protect Us Anymore. You have a secret that can ruin your life.

Kill the Password: Why a String of Characters Can't Protect Us Anymore

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you. Your email. Your bank account. Your address and credit card number. No matter how complex, no matter how unique, your passwords can no longer protect you. Look around. This summer, hackers destroyed my entire digital life in the span of an hour. The age of the password is over. Since that awful day, I’ve devoted myself to researching the world of online security. First thing I do? KeePass Password Safe / Discussion / Open Discussion:Keyfile vs. password: convenience vs. security?

Pass Phrases vs. Passwords. Part 3 of 3. Published: December 1, 2004 Jesper M.

Pass Phrases vs. Passwords. Part 3 of 3

Johansson, Ph.D., ISSAP, CISSPSecurity Program Manager, Microsoft Corporation See other Security Management columns. This is the final article in our series on passwords versus pass phrases. The first part covered the fundamentals of passwords and pass phrases, how they are stored, and so on. On This Page Password Advice Making Pass Phrases Stronger Enforcing Password Policies Why You Should Not Use Account Lockout Conclusion Password Advice Whether pass phrases are better than passwords seems to be a matter of personal preference.

Making Pass Phrases Stronger There is one more thing to consider; namely, that you can easily add additional entropy to a pass phrase. There is one more way to estimate the additional strength created by substitutions. Enforcing Password Policies After reading these articles, you may decide to change your password policy to enforce pass phrases only, or in some other way. Why You Should Not Use Account Lockout Conclusion.