Bit Strength Threshold
As a practical matter, passwords must be both reasonable and functional for the end user as well as strong enough for the intended purpose. Passwords that are too difficult to remember may be forgotten and so are more likely to be written on paper, which some consider a security risk. In contrast, others argue that forcing users to remember passwords without assistance can only accommodate weak passwords, and thus poses a greater security risk. According to Bruce Schneier, most people are good at securing their wallets or purses, which is a "great place" to store a written password.
Some basic benchmarks have been established for brute force searches in the context of attempting to find keys used in encryption. The problem is not the same since these approaches involve astronomical numbers of trials, but the results are suggestive for password choice. In 1999, an Electronic Frontier Foundation project broke 56-bit DES encryption in less than a day using specially designed hardware. In 2002, distributed.net cracked a 64-bit key in 4 years, 9 months, and 23 days. As of October 12, 2011, distributed.net estimates that cracking a 72-bit key using current hardware will take about 45,579 days or 124.8 years. Due to currently understood limitations from fundamental physics, there is no expectation that any digital computer (or combination) will be capable of breaking 256-bit encryption via a brute-force attack. Whether or not quantum computers will be able to do so in practice is still unknown, though theoretical analysis suggests such possibilities.
As a result, there can be no exact answer to the somewhat different problem of the password strength required to resist brute force attack in practice. NIST recommends 80-bits for the most secure passwords, which can nearly be achieved with a 95-character choice (e.g., the original ASCII character set) with a 12-character random password (12 x 6.5 bits = 78). A 2010 Georgia Tech Research Institute study also recommended a 12-character random password, but as a minimum length requirement.
Read more about this topic: Password Strength
Famous quotes containing the words bit, strength and/or threshold:
“The public, with its mob yearning to be instructed, edified and pulled by the nose, demands certainties; it must be told definitely and a bit raucously that this is true and that is false. But there are no certainties.”
—H.L. (Henry Lewis)
“I came to love my rows, my beans, though so many more than I wanted. They attached me to the earth, and so I got strength like Antæus. But why should I raise them? Only Heaven knows.”
—Henry David Thoreau (1817–1862)
“Much of modern art is devoted to lowering the threshold of what is terrible. By getting us used to what, formerly, we could not bear to see or hear, because it was too shocking, painful, or embarrassing, art changes morals.”
—Susan Sontag (b. 1933)