Pass DBs reveal password lengths + PEBKAC issue
Brian Candler
b.candler at pobox.com
Thu Feb 23 15:52:58 CET 2017
On 23/02/2017 13:51, Thibault Polge wrote:
> The consequence is a serious reduction of the complexity of
> brute-force attacks,
IMO, this is a non-issue.
Suppose each position in my password is taken from a set of N
possibilities, and then I tell you that my password is exactly 10
characters long.
Indeed, that means you don't have to brute-force all the 1 to 9 digit
passwords.
But (N^1 + N^2 + N^3 ... + N^9) is far smaller than N^10; approximately
N times smaller.
Hence the saving in brute force is a factor of 1/N. If I'm using base64
passwords then N=64 and I've saved you about 1/64th of the total work,
or less than 2%.
Not telling you my password length is a form of security through
obscurity. The strength of the password comes from its length and its
randomness - not from keeping its length secret.
In any case: by the time I've added metadata to passwords on subsequent
lines (URLs, usernames, comments) you're unlikely to get any dependable
info about my password length from the gpg file length.
Regards,
Brian.
More information about the Password-Store
mailing list