Bit Strength Threshold
As a practical matter, passwords must be both reasonable and functional for the end user as well as strong enough for the intended purpose. Passwords that are too difficult to remember may be forgotten and so are more likely to be written on paper, which some consider a security risk. In contrast, others argue that forcing users to remember passwords without assistance can only accommodate weak passwords, and thus poses a greater security risk. According to Bruce Schneier, most people are good at securing their wallets or purses, which is a "great place" to store a written password.
Some basic benchmarks have been established for brute force searches in the context of attempting to find keys used in encryption. The problem is not the same since these approaches involve astronomical numbers of trials, but the results are suggestive for password choice. In 1999, an Electronic Frontier Foundation project broke 56-bit DES encryption in less than a day using specially designed hardware. In 2002, distributed.net cracked a 64-bit key in 4 years, 9 months, and 23 days. As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years. Due to currently understood limitations from fundamental physics, there is no expectation that any digital computer (or combination) will be capable of breaking 256-bit encryption via a brute-force attack. Whether or not quantum computers will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.
As a result, there can be no exact answer to the somewhat different problem of the password strength required to resist brute force attack in practice. NIST recommends 80-bits for the most secure passwords, which can nearly be achieved with a 95-character choice (e.g., the original ASCII character set) with a 12-character random password (12 x 6.5 bits = 78). A 2010 Georgia Tech Research Institute study also recommended a 12-character random password, but as a minimum length requirement.
Read more about this topic: Password Strength
Famous quotes containing the words bit, strength and/or threshold:
“We must not leap to the fatalistic conclusion that we are stuck with the conceptual scheme that we grew up in. We can change it, bit by bit, plank by plank, though meanwhile there is nothing to carry us along but the evolving conceptual scheme itself. The philosopher’s task was well compared by Neurath to that of a mariner who must rebuild his ship on the open sea.”
—Willard Van Orman Quine (b. 1908)
“Our poetry emulates the recent progress in military strategy: Our army’s strength is the foot soldiers.”
—Franz Grillparzer (1791–1872)
“On the threshold of any wholly new and momentous devoted enterprise, the thousand ulterior intricacies and emperilings to which it must conduct; these, at the outset, are mostly withheld from sight.”
—Herman Melville (1819–1891)