From 349ff7700bda615cc9153eee0029440f734c2b66 Mon Sep 17 00:00:00 2001
From: rfjakob
Date: Sat, 2 Jun 2018 13:22:33 +0200
Subject: Created Password Strength (markdown)

---
 Password-Strength.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 Password-Strength.md

diff --git a/Password-Strength.md b/Password-Strength.md
new file mode 100644
index 0000000..7ebbac7
--- /dev/null
+++ b/Password-Strength.md
@@ -0,0 +1,15 @@
+I recommend between 64 and 128 bits of entropy. Depending on the character set, this translates to the password lengths below, when the passwords are randomly generated (using KeePass etc):
+
+Character Set | Password length | Password length
+-- | -- | --
+(number of different characters) | for >= 64 bits of entropy | for >= 128 bits of entropy
+`0-9` (10) | 20 | 39
+`a-z0-9` (36) | 13 | 25
+`A-Za-z0-9` (62) |  11 | 22
+`A-Za-z0-9%$&/...` (95) |  10 | 20
+
+gocryptfs uses *scrypt* password hashing. The [scrypt paper](https://www.tarsnap.com/scrypt/scrypt.pdf) includes this table that estimates the cost for cracking a password in one year:
+
+![scrypt-table1](https://user-images.githubusercontent.com/286847/40873575-2b7c6436-6663-11e8-827c-ee327269d826.png)
+
+So it would cost 43 Billion Dollars to crack a 64-bit password. Adding another alphanumeric character multiplies the cost by 62.
\ No newline at end of file
-- 
cgit v1.2.3