diff options
Diffstat (limited to 'Password-Strength.md')
-rw-r--r-- | Password-Strength.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/Password-Strength.md b/Password-Strength.md new file mode 100644 index 0000000..7ebbac7 --- /dev/null +++ b/Password-Strength.md @@ -0,0 +1,15 @@ +I recommend between 64 and 128 bits of entropy. Depending on the character set, this translates to the password lengths below, when the passwords are randomly generated (using KeePass etc): + +Character Set | Password length | Password length +-- | -- | -- +(number of different characters) | for >= 64 bits of entropy | for >= 128 bits of entropy +`0-9` (10) | 20 | 39 +`a-z0-9` (36) | 13 | 25 +`A-Za-z0-9` (62) | 11 | 22 +`A-Za-z0-9%$&/...` (95) | 10 | 20 + +gocryptfs uses *scrypt* password hashing. The [scrypt paper](https://www.tarsnap.com/scrypt/scrypt.pdf) includes this table that estimates the cost for cracking a password in one year: + +![scrypt-table1](https://user-images.githubusercontent.com/286847/40873575-2b7c6436-6663-11e8-827c-ee327269d826.png) + +So it would cost 43 Billion Dollars to crack a 64-bit password. Adding another alphanumeric character multiplies the cost by 62.
\ No newline at end of file |