From 4c2c2802ba3173f63fcbdfedbf6af6151e22e4b2 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Tue, 12 Jan 2021 15:29:20 -0800 Subject: [PATCH] New article: password strength --- content/posts/password-strength.gmi | 242 +++++++++++++++++++++ content/posts/password-strength.md | 321 ++++++++++++++++++++++++++++ 2 files changed, 563 insertions(+) create mode 100644 content/posts/password-strength.gmi create mode 100644 content/posts/password-strength.md diff --git a/content/posts/password-strength.gmi b/content/posts/password-strength.gmi new file mode 100644 index 0000000..7e20de9 --- /dev/null +++ b/content/posts/password-strength.gmi @@ -0,0 +1,242 @@ +This is a tale of the intersection between thermal physics, cosmology, and a tiny amount of computer science to answer a seemingly innocuous question: "How strong does a password need to be for it to be physically impossible to brute-force, ever?" + +Note: this post contains equations. Since none of the equations were long or complex, I decided to just write them out in code blocks instead of using images or MathML the way Wikipedia does. + +## Introduction + +I realize that advice on password strength can get outdated. As supercomputers grow more powerful, password strength recommendations need to be updated to resist stronger brute-force attacks. Passwords that are strong today might be weak in the future. How long should a password be in order for it to be physically impossible to brute-force, ever? + +This question might not be especially practical, but it's fun to analyze and offers interesting perspective regarding sane upper-limits on password strength. + +## Asking the right question + +Instead of predicting what tomorrow's computers may be able to do, let's examine the biggest possible brute-force attack that the laws of physics can allow. + +A supercomputer is probably faster than your phone; however, given enough time, both are capable of doing the same calculations. If time isn't the bottleneck, energy usage is. More efficient computers can flip more bits with a finite amount of energy. + +In other words, energy efficiency and energy availability are the two fundamental bottlenecks of computing. What happens when a computer with the highest theoretical energy efficiency is limited only by the mass-energy of the entire observable universe? + +=> https://en.wikipedia.org/wiki/Observable_universe Observable universe (Wikipedia) + +Let's call this absolute unit of an energy-efficient computer the MOAC (Mother of All Computers). For all classical computers that are made of matter, do work to compute, and are bound by the conservation of energy, the MOAC represents a finite yet unreachable limit of computational power. And yes, it can play Solitaire with *amazing* framerates. + +How strong should your password be for it to be safe from a brute-force attack by the MOAC? + +### Quantifying password strength. + +A good measure of password strength is *entropy bits.* The entropy bits in a password is a base-2 logarithm of the number of guesses required to brute-force it.¹ + +A brute-force attack that executes 2ⁿ guesses is certain to crack a password with n entropy bits, and has a one-in-two chance of cracking a password with n+1 entropy bits. + +For scale, AES 256 encryption is currently the industry standard for strong symmetric encryption. As the name suggests, its keys have 256 bits of entropy; if your password has more than 256 entropy bits, then the AES-256 encryption algorithm is the bottleneck. + +=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard (Wikipedia) + +To calculate the entropy of a password, I recommend using a tool such as zxcvbn or KeePassXC. + +=> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler zxcvbn: Low-Budget Password Strength Estimation +=> https://keepassxc.org/ KeePassXC Password Manager + +## The Problem + +Define a function P. P determines the probability that MOAC will correctly guess a password with n bits of entropy after using e energy: + +``` +P(n, e) +``` + +If P(n, e) ≥ 1, the MOAC will certainly guess your password before running out of energy. The lower P(n, e) is, the less likely it is for the MOAC to guess your password. + +## Caveats and estimates + +I don't have a strong physics background. + +When estimating, we'll prefer higher estimates that increase the odds of it guessing a password; after all, the point of this exercise is to establish an *upper* limit on password strength. We'll also simplify: for instance, the MOAC will not waste any heat, and the only way it can guess a password is through brute-forcing. Focusing on too many details would defeat the point of this thought experiment. + +I won't address any particular encryption algorithms; this is just a pure and simple brute-force attack given precomputed password entropy. Furthermore, quantum computers can use Grover's algorithm for an exponential speed-up; to account for quantum computers using Grover's algorithm, calculate P(n/2, e) instead. + +Obviously, I'm not taking into account future mathematical advances; my crystal ball broke after I asked it if humanity would ever develop the technology to make anime real. + +=> https://en.wikipedia.org/wiki/Grover%27s_algorithm Grover's algorithm (Wikipedia) + +## Computation + +How much energy does MOAC use per guess during a brute-force attack? In the context of this thought experiment, this number should be unrealistically low. I settled on kT. k represents the Boltzmann Constant (about 1.381×10⁻²³ J/K) and T represents the temperature of the system. Their product corresponds to the amount of heat required to create a 1 nat increase in a system's entropy. + +=> https://en.wikipedia.org/wiki/KT_(energy) kT (Wikipedia) +=> https://en.wikipedia.org/wiki/Boltzmann_constant Boltzmann Constant (Wikipedia) + +A more involved approach to picking a good value might utilize the Plank-Einstein relation. + +=> https://en.wikipedia.org/wiki/Planck%E2%80%93Einstein_relation Plank-Einstein relation (Wikipedia) + +It's also probably a better idea to make this value an estimate for flipping a single bit, and to estimate the average number of bit-flips it takes to make a single password guess. If that bothers you, pick a number b you believe to be a good estimate for a bit-flip-count and calculate P(n+b, e) instead of P(n, e). + +What's the temperature of the system? Three pieces of information help us find out: + +1. The MOAC is located somewhere in the observable universe +2. The MOAC will be consuming the entire observable universe +3. The universe is mostly empty + +A good value for T would be the average temperature of the entire observable universe. The universe is mostly empty; T is around the temperature of cosmic background radiation in space. The lowest reasonable estimate for this temperature is 2.7 degrees Kelvin.² A lower temperature means less energy usage, less energy usage allows more computations, and more computations raises the upper limit on password strength. + +Every guess, the MOAC expends kT energy. Let E = the total amount of energy the MOAC can use; let B = the maximum number of guesses the MOAC can execute before running out of energy. + +```` +B = E/(kT) +``` + +Now, given the maximum number of passwords the MOAC can guess B and the bits of entropy in our password n, we have an equation for the probability that the MOAC will guess our password: + +``` +P(n,B) = B/2ⁿ +``` + +Plug in our expression for B: + +``` +P(n,E) = E/(2ⁿkT) +``` + +### Calculating the mass-energy of the observable universe + +How much energy can the MOAC use? It can use the entire mass-energy of the observable universe!³ Simply stuff the observable universe into the attached 100% efficient furnace, turn on the burner, and generate power for the computer. You might need to ask a friend for help. + +Just how much energy is that? The mass-energy equivalence formula is quite simple: + +``` +E = mc² +``` + +We're trying to find E and we know c, the speed of light, is 299,792,458 m/s. That leaves m. What's the mass of the observable universe? + +### Calculating the critical density of the observable universe + +Critical density is smallest average density of matter required to *almost* slow the expansion of the universe to a stop. Any more dense, and expansion will stop; any less, and expansion will never stop. + +Let D = critical density of the observable universe and V = volume of the observable universe. Mass is the product of density and volume: + +``` +m = DV +``` + +We can derive the value of D by solving for it in the Friedman equations: + + +=> https://en.wikipedia.org/wiki/Friedmann_equations Friedmann equations (Wikipedia) + +``` +D = 3Hₒ²/(8πG) +``` + +Where G is the Gravitational Constant and Hₒ is the Hubble Constant. Hₒd is the rate of expansion at proper distance d. + +=> https://en.wikipedia.org/wiki/Gravitational_constant Gravitational constant (Wikipedia) +=> https://en.wikipedia.org/wiki/Hubble%27s_law Hubble's Law (Wikipedia) + +Let's assume the observable universe is a sphere, expanding at the speed of light ever since the +Big Bang.⁴ The volume V of our spherical universe when given its radius r is: + +``` +V = (4/3)πr³ +``` + +To find the radius of the observable universe r, we can use the age of the universe t: + +``` +r = ct +``` + +Hubble's Law estimates the age of the universe to be around 1/Hₒ + +### Solving for E + +Let's plug in all the derived values into our original equation for the mass of the observable universe m: + +``` +m = DV +``` + +Remember when I opened the article by saying that none of the equations would be long or complex? + +I lied. + +``` +m = (3Hₒ²/(8πG))(4/3)π(ct)³ +m = c³/(2GHₒ) + +E = mc² +E = c⁵/(2GHₒ) +``` + +Finally! We've found an expression for the total energy the MOAC can consume. + +## Final Solution + +``` +P(n,E) = E/(2ⁿkT) +P(n, c⁵/(2GHₒ)) = c⁵/(2GHₒ*2ⁿkT) +``` + +Let's copy and paste the values for those constants from Wikipedia and Wolfram Alpha: + +* c = 299,792,458 m/s +* G ≈ 6.67408×10⁻¹¹ m³/kg/s² +* Hₒ ≈ 2.2×10⁻¹⁸ Hz (uncertain; look up the Hubble tension) +* T ≈ 2.7 K +* k ≈ 1.3806503×10⁻²³ J/K + +Plugging those in and simplifying: + +P(n) ≈ 2.21×10⁹² / 2ⁿ + +Here are some sample outputs: + +* P(256) ≈ 1.9×10¹⁵ (password certainly cracked after burning 1.9 quadrillionth of the mass-energy of the observable universe). +* P(306.76) ≈ 1 (password certainly cracked after burning the mass-energy of the observable universe) +* P(310) ≈ 0.11 (about one in ten) +* P(326.6) ≈ 1.1×10⁻⁶ (about one in a million) + +If your threat model is a bit smaller, simulate putting a smaller object into the MOAC's furnace. For example, the Earth has a mass of 5.972×10²⁴ kg; this gives the MOAC a one-in-ten-trillion chance of cracking a password with 256 entropy bits and a 100% chance of cracking a 213-bit password. + +## Conclusion/TLDR + +Question: How much entropy should a password have to ensure it will never be vulnerable to a brute-force attack? Can the most theoretically powerful computer--the MOAC--crack your password? + +Answer: limited only by energy, if a computer with the highest level of efficiency physically possible is made of matter, does work to compute, and obeys the conservation of energy: + +* A password with 256 bits of entropy is practically immune to brute-force attacks large enough to quite literally burn the world, but is quite trivial to crack with a universe-scale fuel source. +* A password with 327 bits of entropy is nearly impossible to crack even if you burn the whole observable universe trying to do so. + +At that point, a formidable threat would rather use other means to unlock your secrets: + +=> https://xkcd.com/538/ xkcd 538: Security + +## Further reading: an alternate approach + +See Scott Aaronson's article on Cosmology and Complexity: + +=> https://www.scottaaronson.com/democritus/lec20.html Cosmology and Complexity + +He uses an alternative approach to finding the maximum bits we can work with: he simply inverts the cosmological constant. + +=> https://en.wikipedia.org/wiki/Cosmological_constant Cosmological constant (Wikipedia) + +This model takes into account more than just the mass of the observable universe. While we previously found that the MOAC can brute-force a password with 306.76 entropy bits, this model allows the same for up to 405.3 bits. + + +## Acknowledgements + +Thanks to Barna Zsombor and InPhase for helping me over IRC with my shaky physics and pointing out the caveats of my approach. + +My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the article. + +## Citations and Footnotes + +¹ James Massey (1994). "Guessing and entropy" (PDF). Proceedings of 1994 IEEE. International Symposium on Information Theory. IEEE. p. 204. + +² Assis, A. K. T.; Neves, M. C. D. (3 July 1995). "History of the 2.7 K. Temperature Prior to Penzias and Wilson" + +³ The MOAC 2 was supposed to be able to consume other sources of energy such as dark matter and dark energy. Unfortunately, Intergalactic Business Machines ran out of funds since all their previous funds, being made of matter, were consumed by the original MOAC. + +⁴ This is a massive oversimplification; there isn't a single answer to the question "What is the volume of the universe?" Using this speed-of-light approach is one of multiple valid perspectives. The absolute size of the observable universe is much greater due to the way expansion works, but stuffing that into the MOAC's furnace would require moving mass faster than the speed of light. diff --git a/content/posts/password-strength.md b/content/posts/password-strength.md new file mode 100644 index 0000000..75e1261 --- /dev/null +++ b/content/posts/password-strength.md @@ -0,0 +1,321 @@ +--- +date: "2021-01-12T00:03:10-08:00" +description: "This is a tale of the intersection between thermal physics, cosmology, + and a tiny amount of computer science to answer a seemingly innocuous question: + \"How strong does a password need to be for it to be physically impossible to + brute-force, ever?\"" +outputs: +- html +- gemtext +tags: +- security +- fun +title: Becoming physically immune to brute-force attacks +--- + +This is a tale of the intersection between thermal physics, cosmology, and a tiny +amount of computer science to answer a seemingly innocuous question: "How strong does +a password need to be for it to be physically impossible to brute-force, ever?" + +*Note: this post contains equations. Since none of the equations were long or +complex, I decided to just write them out in code blocks instead of using images or +MathML the way Wikipedia does.* + +Introduction +------------ + +I realize that advice on password strength can get outdated. As supercomputers grow +more powerful, password strength recommendations need to be updated to resist +stronger brute-force attacks. Passwords that are strong today might be weak in the +future. **How long should a password be in order for it to be physically impossible +to brute-force, ever?** + +This question might not be especially practical, but it's fun to analyze and offers +interesting perspective regarding sane upper-limits on password strength. + +Asking the right question +------------------------- + +Instead of predicting what tomorrow's computers may be able to do, let's examine the +*biggest possible brute-force attack* that the laws of physics can allow. + +A supercomputer is probably faster than your phone; however, given enough time, both +are capable of doing the same calculations. If time isn't the bottleneck, energy +usage is. More efficient computers can flip more bits with a finite amount of energy. + +In other words, energy efficiency and energy availability are the two fundamental +bottlenecks of computing. What happens when a computer with the highest theoretical +energy efficiency is limited only by the mass-energy of *the entire [observable +universe](https://en.wikipedia.org/wiki/Observable_universe)?* + +Let's call this absolute unit of an energy-efficient computer the MOAC (Mother of All +Computers). For all classical that are made of matter, do work to compute, and are +bound by the conservation of energy, the MOAC represents a finite yet unreachable +limit of computational power. And yes, it can play Solitaire with *amazing* +framerates. + +How strong should your password be for it to be safe from a brute-force attack by the +MOAC? + +### Quantifying password strength. + +A good measure of password strength is **entropy bits.** The entropy bits in a +password is a base-2 logarithm of the number of guesses required to brute-force +it.[^1] + +A brute-force attack that executes 2n guesses is certain to crack a +password with *n* entropy bits, and has a one-in-two chance of cracking a password +with *n*+1 entropy bits. + +For scale, [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) +encryption is currently the industry standard for strong symmetric encryption. As the +name suggests, its keys have 256 bits of entropy; if your password has more than 256 +entropy bits, then the AES-256 encryption algorithm is the bottleneck. + +To calculate the entropy of a password, I recommend using a tool such as +[zxcvbn](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler) +or [KeePassXC](https://keepassxc.org/). + +The Problem +----------- + +Define a function `P`. `P` determines the probability that MOAC will correctly guess +a password with `n` bits of entropy after using `e` energy: + + P(n, e) + +If `P(n, e) ≥ 1`, the MOAC will certainly guess your password before running out of +energy. The lower `P(n, e)` is, the less likely it is for the MOAC to guess your +password. + +Caveats and estimates +--------------------- + +I don't have a strong physics background. + +When estimating, we'll prefer higher estimates that increase the odds of it guessing +a password; after all, the point of this exercise is to establish an *upper* limit on +password strength. We'll also simplify: for instance, the MOAC will not waste any +heat, and the only way it can guess a password is through brute-forcing. Focusing on +too many details would defeat the point of this thought experiment. + +I won't address any particular encryption algorithms; this is just a pure and simple +brute-force attack given precomputed password entropy. Furthermore, quantum computers +can use [Grover's algorithm](https://en.wikipedia.org/wiki/Grover%27s_algorithm) for +an exponential speed-up; to account for quantum computers using Grover's algorithm, +calculate `P(n/2, e)` instead. + +Obviously, I'm not taking into account future mathematical advances; my crystal ball +broke after I asked it if humanity would ever develop the technology to make anime +real. + +Computation +----------- + +How much energy does MOAC use per guess during a brute-force attack? In the context +of this thought experiment, this number should be unrealistically low. I settled on +[`kT`](https://en.wikipedia.org/wiki/KT_(energy)). `k` represents the [Boltzmann +Constant](https://en.wikipedia.org/wiki/Boltzmann_constant) (about +1.381×10-23 J/K) and `T` represents the temperature of the system. Their +product corresponds to the amount of heat required to create a 1 nat increase in a +system's entropy. + +A more involved approach to picking a good value might utilize the [Plank-Einstein +relation](https://en.wikipedia.org/wiki/Planck%E2%80%93Einstein_relation). + +It's also probably a better idea to make this value an estimate for flipping a single +bit, and to estimate the average number of bit-flips it takes to make a single +password guess. If that bothers you, pick a number `b` you believe to be a good +estimate for a bit-flip-count and calculate `P(n+b, e)` instead of `P(n, e)`. + +What's the temperature of the system? Three pieces of information help us find out: + +1. The MOAC is located somewhere in the observable universe +2. The MOAC will be consuming the entire observable universe +3. The universe is mostly empty + +A good value for `T` would be the average temperature of the entire observable +universe. The universe is mostly empty; `T` is around the temperature of cosmic +background radiation in space. The lowest reasonable estimate for this temperature is +2.7 degrees Kelvin.[^2] A lower temperature means less energy usage, less energy +usage allows more computations, and more computations raises the upper limit on +password strength. + +Every guess, the MOAC expends `kT` energy. Let `E` = the total amount of energy the +MOAC can use; let `B` = the maximum number of guesses the MOAC can execute before +running out of energy. + + B = E/(kT) + +Now, given the maximum number of passwords the MOAC can guess `B` and the bits of +entropy in our password `n`, we have an equation for the probability that the MOAC +will guess our password: + + P(n,B) = B/2ⁿ + +Plug in our expression for `B`: + + P(n,E) = E/(2ⁿkT) + +### Calculating the mass-energy of the observable universe + +The MOAC can use the entire mass-energy of the observable universe.[^3] Simply stuff +the observable universe into the attached 100% efficient furnace, turn on the burner, +and generate power for the computer. You might need to ask a friend for help. + +Just how much energy is that? The mass-energy equivalence formula is quite simple: + + E = mc² + +We're trying to find `E` and we know `c`, the speed of light, is 299,792,458 m/s. +That leaves `m`. What's the mass of the observable universe? + +### Calculating the critical density of the observable universe + +Critical density is smallest average density of matter required to *almost* slow the +expansion of the universe to a stop. Any more dense, and expansion will stop; any +less, and expansion will never stop. + +Let `D` = critical density of the observable universe and `V` = volume of the +observable universe. Mass is the product of density and volume: + + m = DV + +We can derive the value of D by solving for it in the [Friedman +equations](https://en.wikipedia.org/wiki/Friedmann_equations): + + D = 3Hₒ²/(8πG) + +Where `G` is the [Gravitational +Constant](https://en.wikipedia.org/wiki/Gravitational_constant) and `Hₒ` is the +[Hubble Constant](https://en.wikipedia.org/wiki/Hubble%27s_law). `Hₒd` is the rate of +expansion at proper distance `d`. + +Let's assume the observable universe is a sphere, expanding at the speed of light +ever since the Big Bang.[^4] The volume `V` of our spherical universe when given its +radius `r` is: + + V = (4/3)πr³ + +To find the radius of the observable universe `r`, we can use the age of the universe +`t`: + + r = ct + +Hubble's Law estimates the age of the universe to be around `1/Hₒ` + +### Solving for E + +Let's plug in all the derived values into our original equation for the mass of the +observable universe `m`: + + m = DV + +Remember when I opened the article by saying that none of the equations would be long +or complex? + +I lied. + + m = (3Hₒ²/(8πG))(4/3)π(ct)³ + m = c³/(2GHₒ) + + E = mc² + E = c⁵/(2GHₒ) + +Yay, we found an expression for the total energy the MOAC can consume! + +Final Solution +-------------- + + P(n,E) = E/(2ⁿkT) + P(n, c⁵/(2GHₒ)) = c⁵/(2GHₒ*2ⁿkT) + +Let's copy and paste the values for those constants from Wikipedia and Wolfram Alpha: + +- c = 299,792,458 m/s +- G ≈ 6.67408×10-11 m³/kg/s² +- Hₒ ≈ 2.2×10-18 Hz (uncertain; look up the Hubble tension) +- T ≈ 2.7 K +- k ≈ 1.3806503×10-23 J/K + +Plugging those in and simplifying: + +**P(n) ≈ 2.21×1092 / 2n** + +Here are some sample outputs: + +- P(256) ≈ 1.9×1015 (password certainly cracked after burning 1.9 + quadrillionth of the mass-energy of the observable universe). + +- P(306.76) ≈ 1 (password certainly cracked after burning the mass-energy of the + observable universe) + +- P(310) ≈ 0.11 (about one in ten) + +- P(326.6) ≈ 1.1×10-6 (about one in a million) + +If your threat model is a bit smaller, simulate putting a smaller object into the +MOAC's furnace. For example, the Earth has a mass of 5.972×1024 kg; this +gives the MOAC a one-in-ten-trillion chance of cracking a password with 256 entropy +bits and a 100% chance of cracking a 213-bit password. + +Conclusion/TLDR +--------------- + +Question: How much entropy should a password have to ensure it will *never* be +vulnerable to a brute-force attack? Can an impossibly efficient computer--the +MOAC--crack your password? + +Answer: limited only by energy, if a computer with the highest level of efficiency +physically possible is made of matter, does work to compute, and obeys the +conservation of energy: + +- A password with 256 bits of entropy is practically immune to brute-force attacks + large enough to quite literally burn the world, but is quite trivial to crack with + a universe-scale fuel source. +- A password with 327 bits of entropy is nearly impossible to crack even if you burn + the whole observable universe trying to do so. + +At that point, a formidable threat would rather use [other +means](https://xkcd.com/538/) to unlock your secrets. + +Further reading: an alternative approach +---------------------------------------- + +Check out Scott Aaronson's article, [Cosmology and +Complexity](https://www.scottaaronson.com/democritus/lec20.html%20Cosmology%20and%20Complexity). +He uses an alternative approach to finding the maximum bits we can work with: he +simply inverts the [cosmological +constant](https://en.wikipedia.org/wiki/Cosmological_constant). + +This model takes into account more than just the mass of the observable universe. +While we previously found that the MOAC can brute-force a password with 306.76 +entropy bits, this model allows the same for up to 405.3 bits. + +Acknowledgements +---------------- + +Thanks to [Barna Zsombor](http://bzsombor.web.elte.hu/) and [Ryan +Coyler](https://rcolyer.net/) for helping me over IRC with my shaky physics and +pointing out the caveats of my approach. + +My notes from Thermal Physics weren't enough to write this; various Wikipedia +articles were also quite helpful, most of which were linked in the body of the +article. + +[^1]: James Massey (1994). "Guessing and entropy" (PDF). Proceedings of 1994 IEEE + International Symposium on Information Theory. IEEE. p. 204. + +[^2]: Assis, A. K. T.; Neves, M. C. D. (3 July 1995). "History of the 2.7 K + Temperature Prior to Penzias and Wilson" + +[^3]: The MOAC 2 was supposed to be able to consume other sources of energy such as + dark matter and dark energy. Unfortunately, Intergalactic Business Machines ran out + of funds since all their previous funds, being made of matter, were consumed by the + original MOAC. + +[^4]: This is a massive oversimplification; there isn't a single answer to the + question "What is the volume of the observable universe?" Using this speed-of-light + approach is one of multiple valid perspectives. The absolute size of the observable + universe is much greater due to the way expansion works, but stuffing that into the + MOAC's furnace would require moving mass faster than the speed of light.