From 6f610238f7a91e31dd1c33f720b7312a563f9cf5 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Sun, 17 Jan 2021 23:49:12 -0800 Subject: [PATCH] Explicitly clarify types of passwords Explicitly limit the scope of the article to just passwords used in encryption/decryption. --- content/posts/password-strength.gmi | 2 ++ content/posts/password-strength.md | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/content/posts/password-strength.gmi b/content/posts/password-strength.gmi index 07bf5d7..d2968f9 100644 --- a/content/posts/password-strength.gmi +++ b/content/posts/password-strength.gmi @@ -12,6 +12,8 @@ This question might not be especially practical, but it's fun to analyze and off ## Asking the right question +Let's limit the scope of this article to passwords used in encryption/decryption. An attacker is trying to guess a password to decrypt something. + Instead of predicting what tomorrow's computers may be able to do, let's examine the biggest possible brute-force attack that the laws of physics can allow. A supercomputer is probably faster than your phone; however, given enough time, both are capable of doing the same calculations. If time isn't the bottleneck, energy usage is. More efficient computers can flip more bits with a finite amount of energy. diff --git a/content/posts/password-strength.md b/content/posts/password-strength.md index 385b04f..d5b75dd 100644 --- a/content/posts/password-strength.md +++ b/content/posts/password-strength.md @@ -37,6 +37,9 @@ interesting perspective regarding sane upper-limits on password strength. Asking the right question ------------------------- +Let's limit the scope of this article to passwords used in encryption/decryption. An +attacker is trying to guess a password to decrypt something. + Instead of predicting what tomorrow's computers may be able to do, let's examine the *biggest possible brute-force attack* that the laws of physics can allow. @@ -60,7 +63,9 @@ MOAC? ### Quantifying password strength. -*A previous version of this section wasn't clear and accurate. I've since removed the offending bits and added a clarification about salting/hashing to the [Caveats and estimates]({{}}) section.* +*A previous version of this section wasn't clear and accurate. I've since removed the +offending bits and added a clarification about salting/hashing to the [Caveats and +estimates]({{}}) section.* A good measure of password strength is **entropy bits.** The entropy bits in a password is a base-2 logarithm of the number of guesses required to brute-force