Password length

[Jorge]

I want to sign up to axcrypt but before I do could somebody tell me how long my password should be? I’m going to be keeping it in a password manager.

How many passwords per second does axcrypt limit brute force cracking to even on a super-computer?

[SvanteSpectator]

Hello Jorge,

We don’t focus on length, but on complexity. That said – at least 10 characters, digits and symbols.

The second question can’t be answered in a precise way. AxCrypt uses a dynamic number of iterations to strengthen the effective password length with 12-14 bits (very approximately and it depends on the encrypting computer). The speed of the “super computer” is affected by the amount of money spent on it.

The better questions are:

1) What is the effective length of your password? Our password manager generates strong passwords at around 90 bits.

2) How many bits effective key length / second do you think the presumed attacker has a budget for?

[Jorge]

According to my password manager my password has 180 bits of entropy. It’s 32 characters, mixed case, numbers and symbols.

The password manager is extremely secure itself, it’s hardware based and requires a smartcard + PIN to unlock.

Would this be sufficient to thwart any realistic attack on my password? Without any information on the number of iterations it’s hard to tell.

[SvanteSpectator]

Hello Jorge,

I have no idea of the quality of the estimation of your password manager, but 32 characters is indeed very long. If it’s not a simple phrase in english or based on some other system that once known by an attacker reduces the search space, it’s a very strong password. With or without extra iterations.

So, yes, that will thwart any realistic attack.

[Author]

Posts