How secure are passwords with under 20 characters length

brute-force-attacksencryptionpassword

I recently received a recommandation for setting my password to above 20 characters. The algorithm used for encryption is AES with a 256 bit primary key. How secure is a, let's say, 8 char password against brute force attacks for deciphering encrypted files?

I know that this is considered a good password size on most websites. One reason of this is that they can stop an attack after 3 attemps or so.

Best Answer

This is an interesting article (see PDF print if web archive unavailable). It details how long it would theoretically take to brute force a password for different lengths and symbol sets.

Related Solutions

Ssh – long SSH password vs SSH Keys

Well, a typical SSH key is somewhere around 1024 or 2048 bytes. That's a chunk longer than any password you're going to type in a reasonable amount of time. The whole advantage to ssh keys is that your key password (you do set passwords on your ssh keys, right?) is effectively a proxy to the higher security of the key.

The big advantage to keys is that your password never traverses the network. A relatively common attack is to install a trojaned version of the ssh server; when people type in passwords, the modified server records them and sends them elsewhere. This is a particular problem because these same passwords often are used for access to a number of systems/services.

ssh keys largely eliminate this problem.

Ssh keys are usually simple to set up. You stick the public key on the remote system in the appropriate authorized_keys file, and configure your local ssh to present the appropriate private key when you connect. If you're having some specific problems we can probably help you work things out.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Ssh – long SSH password vs SSH Keys

Ssh – How to automate SSH login with password

Related Topic