Encryption of login passwords--where and how is it done?
Anthony Atkielski
atkielski.anthony at wanadoo.fr
Sat Apr 16 06:06:11 PDT 2005
Chris writes:
> Ummm - Somehow, somewhere, I was always taught that the longer the
> password, the better. So, how can a short passward (say 10 bytes) be as
> secure as a 128 byte?
It depends on how the password is encrypted and stored. A short, random
password may be more secure than a long, less-random
password--especially if the password logic discards all characters
beyond a certain point, or doesn't hash the entire password in a way
that maximizes the extraction of entropy from the password.
For example, on a system that uses only the first eight bytes of a
password, you'd want a pretty random string of eight bytes, like
"uhhxuapo48", but on a system that accepts 128 bytes and pumps them
through a message digest algorithm to maximize the amount of randomness
it extracts from the string, you could use something like "tiles cloven
thru *STARZ/, and zen pop-tarts conceal," and get something that is both
easier to remember _and_ more secure (because it provides more bits of
entropy if properly processed).
--
Anthony
More information about the freebsd-questions
mailing list