Assume you are willing to wait 1 minute for a computer to verify a password you've entered, perhaps unlocking full disk encryption during device boot up. The password hashing KDF algorithm has been tuned to take 1 minute.
Assume the attacker, say the government, is willing to spend 1 year brute forcing your password. How long should your password be?
Assume your password is a PIN of numerical digits.
The unspecified factor is how much more powerful the attacker's hardware is compared to your device. Assume the factor is 10^N.
Then, the length of one's PIN should be N+log10(MIAY), where MIAY is the number of minutes in a year, made famous by the song from "Rent". The common logarithm of that number is 5.72; call it 6.
If the attacker's hardware is 100,000 (10^5) times more powerful than your device (e.g., your phone), then you need a 5 + 6 = 11 digit PIN.
No comments :
Post a Comment