Depending on how the system is implemented, a brute-force attack may not even be necessary. Even if you were to use a six-character randomly generated password like 2=w\Z9, the entropy would be less than 40 bits, meaning it would take less than 240 guesses to discover the password in a brute-force attack. For example, if you choose "password" as your password, an attacker will usually guess this on his second try (his first try would probably be an empty string). The way most password-based authentication works these days, the length and complexity of your password is directly related to how difficult it would be for an attacker to impersonate you. If, for example, you used 48 random bytes (or 300 characters of gibberish), an attacker could ignore your password and instead search for a shorter password, probably 32 bytes long, that produces the same key.Code download available at: SecurityBriefs0407.exe(349 KB) ContentsĪ Better Solution: The Password Multiplexer The key size of 256 bits puts an upper bound on the useful complexity of the password. Simpler passwords have lower entropy, and are easier to guess. If you used 32 random bytes, you would have a password with 256 bits of entropy, as would a password of 197 characters of grammatically-correct English gibberish. Rather, what matters is the password's "entropy", a measure of how hard it would be for an attacker who knew how you generated the password to guess what your password was. Since your password isn't used directly as the encryption key, its length doesn't really matter. Instead, it runs the password through a key derivation function to produce a suitable encryption key. AES-256 uses a key that is exactly 256 bits long.īecause the encryption requires a key of an exact size, 7Zip doesn't use your password directly as the encryption key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |