I'm using encryption on my entire HDD (aes 256) and i'm wondering what length password i would need so that the password also is 256 bits. As we all know the password is usually the weak link with encryption so i think this is good thing to know. The password will be made up of letters (capital and small) numbers and punctuation and be random. Thanks.
Asked
Active
Viewed 2.1k times
12
-
This question isn't programming related, so I've voted to migrate it to http://superuser.com. – Greg Hewgill Mar 07 '11 at 03:16
-
1It is related to the design of a program, and security.stackexchange.com might be an alternative venue, but this seems fine to me. There are plenty of related questions on SO. – Jonathan Leffler Mar 07 '11 at 03:17
-
1Ah, I read the question as "*I'm using [a program that provides] encryption*" instead of "*I'm writing an encryption program*" – Greg Hewgill Mar 07 '11 at 03:29
3 Answers
11
If the password is truly random (aka non-memorizable), then with the characters described, you are getting about 6 bits of randomness per 8-bit byte of password. Therefore, you need about (256 / 6) = 43 characters in the password to contain about 256 bits of randomness. If the password is memorable, you need many more characters to attain the 256 bits of randomness. Running English text has less than 4 bits of randomness per byte.
You might do better to take a long pass-phrase and generate a 256-bit hash of that (SHA-256, perhaps). Your pass-phrase might be a miniature essay - maybe 80-128 characters long; more would not hurt.
Jonathan Leffler
- 730,956
- 141
- 904
- 1,278
5
If you're using only letters and numbers, then you've got a total of 26 × 2 + 10 = 62 possible values per character. That's close to 64, so you have just under 6 bits of entropy per character.
If you want 256 bits, then you need about 43 characters from your character set.
Greg Hewgill
- 951,095
- 183
- 1,149
- 1,285
