[Whonix-devel] Fwd: Re: Password length and Quantum Computing Implications

procmem procmem at riseup.net
Sat Aug 11 18:24:00 CEST 2018




-------- Forwarded Message --------
Subject: Re: Password length and Quantum Computing Implications
Date: Sat, 11 Aug 2018 14:04:58 +0200
From: Jean-Philippe Aumasson <jeanphilippe.aumasson at gmail.com>
To: procmem <procmem at riseup.net>
CC: whonix-devel at whonix.org

Hi!

You want the passphrase to have at least as much entropy as the bit length
of the symmetric key that is derived from it.

In theory, Grover’s quantum search algorithm could lower down the cost of
searching the right passphrase from ~2^128 to (very) roughly ~2^64.

How to get higher entropy passphrase? You can have a longer passphrase, a
longer dictionary (that is, more entropy per word), or both.

BIP 39 for example supports 128 to 256 bits of entropy per passphrase, iirc
with 2048-word lists, thus longer passphrase for higher entropy, see
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Hope this clarifies!

Best,

JP
On Fri, 10 Aug 2018 at 22:26, procmem <procmem at riseup.net> wrote:

> Hi JP. Whonix dev here. We are currently discussing the best advice for
> generating strong passphrases for our users and so I wanted your advice
> on a few questions.
>
> According to The Intercept [0] using something like diceware is
> recommended and a 10 word passphrase has 128 bits of more than enough to
> stop the strongest adversaires for the forseeable future.
>
> The IAD/NIST [1] recommends using 256 bit encryption for AES. Does this
> translate into a need for 256 bit passphrases?
>
> I may be misunderstanding but cipher keylength =/= password entropy?
>
> Do quantum computers have implications for passphrase (not master key)
> bruteforcing?
>
> Now if it turns out I’m wrong the question becomes: how can a 10 word
> passphrase be easily enhanced to get as high entropy as possible without
> having to double its size?
>
> There is an option for diceware to sprinkle random characters in its
> output but I don’t know how much entropy bits it adds. Do you know?
>
> I CC'd our mailing list so ou reply can benefit our users. Thanks in
> advance.
>
> ***
>
> [0]
>
> https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
> [1] https://www.keylength.com/en/compare/
>



More information about the Whonix-devel mailing list