What about 20 characters? [LWN.net]

What about 20 characters?

Posted Jan 23, 2004 11:27 UTC (Fri) by paulsheer (guest, #3925)
Parent article: A weak cryptoloop implementation in Linux?

When you run losetup, it does not let you proceed unless
the password is more than 20 characters:

/sbin/losetup -e AES128 /dev/loop0 FILE
Password: xxxx
Error: Password string must be at least 20 characters.

20 ascii characters is a 130 bit key.
if they are lower case only, and composed of whole
words (and, say, there are 10000 words to choose from)
then we have (10000^5) ~= 66 bits.

- this is a worst case, but long enough to be secure IMO.

My question is: was the loopback device ever MEANT to
be secure against a chosen plaintext attack? Surely not.
I believe it should be dead obvious to users
that a long key is essential because there is
no protocol protection.

Further the other vulnerabilities should
also be obvious: key snooping + memory snooping
during setup, etc. these are all *obvious* attacks that
the user ought to be aware of. Also you can't really be
protected against such attacks within the scope of what
such software is trying to provide.

the loopback device is possibly the best way of securing
your data because its simple and clean and basically as
as secure the block cipher you are using.

-paul

to post comments

What about 20 characters?

Posted Jan 24, 2004 6:23 UTC (Sat) by obobo (guest, #684) [Link] (1 responses)

Typical entropy for text is about one bit per character, IIRC. That is taking into account correlations between adjacent words, etc. Granted that it is probably somewhat higher for short text fragments, but still... a dictionary of 2^40 passphrases would be rather potent for cracking 20 character text-fragment based passwords.

What about 20 characters?

Posted Feb 2, 2004 15:47 UTC (Mon) by lars_stefan_axelsson (guest, #10660) [Link]

Typical entropy for text is about one bit per character, IIRC. That is taking into account correlations between adjacent words, etc. Granted that it is probably somewhat higher for short text fragments, but still... a dictionary of 2^40 passphrases would be rather potent for cracking 20 character text-fragment based passwords.

Well, the estimates of the entropy of 'typical' English texts range from anywhere between 1.0 and 2.63 (One of Shannon's estimates), and 2.0 would give you 40 bits. However, and that's a big 'however' IMHO, we're not talking typical English text, but a passphrase. Password entropy can easily be 4 bits per character without having to remember a 'random' password, and there's no reason not to choose a passphrase consisting of several 'password like' words strung together.

That ought to give you a decent passphrase with sufficient entropy in 20 characters.

I'm ignoring the general hopelessness of the entire subject of passwords, of course. But if you're savy enough to be able to use loopback encryption, and sufficiently bothered by secrecy issues to bother, you ought to be able to come up with a decent passphrase and commit it to memory.