Pass DBs reveal password lengths + PEBKAC issue

Brian Candler b.candler at pobox.com
Thu Feb 23 15:52:58 CET 2017


On 23/02/2017 13:51, Thibault Polge wrote:
>      The consequence is a serious reduction of the complexity of
>      brute-force attacks,

IMO, this is a non-issue.

Suppose each position in my password is taken from a set of N 
possibilities, and then I tell you that my password is exactly 10 
characters long.

Indeed, that means you don't have to brute-force all the 1 to 9 digit 
passwords.

But (N^1 + N^2 + N^3 ... + N^9) is far smaller than N^10; approximately 
N times smaller.

Hence the saving in brute force is a factor of 1/N. If I'm using base64 
passwords then N=64 and I've saved you about 1/64th of the total work, 
or less than 2%.

Not telling you my password length is a form of security through 
obscurity.  The strength of the password comes from its length and its 
randomness - not from keeping its length secret.

In any case: by the time I've added metadata to passwords on subsequent 
lines (URLs, usernames, comments) you're unlikely to get any dependable 
info about my password length from the gpg file length.

Regards,

Brian.



More information about the Password-Store mailing list