OverDesign - password length.

There is an aspect of SQRL which has not been tempered by reason:

    Password length.

In designing the user password needed to unlock the password system (SQRL) 
we have been guided by opinion, not facts. I hope to solve that here.

All should become clear in the "(3)++++++" heading, if not, then sorry, I am 
not able to make it simpler.

++++++++++++++
In any calculation for password length or strength there is a basic 
function, the logarithm, which is very tricky to understand and really 
manage well.

There are two aspects in which the logarithm function is used:
1.- To calculate the number of binary bits equivalent to password strength.
2.- To calculate the number of characters needed to reach a set bit length.


If you do not understand the two lines above don't despair, let's make it 
simple, as simple as possible:

(1)++++++
The strength of a password could be understood by the length of time that is 
needed to break it, and that it is proportional to the number of trials 
needed to make a full brute-force attack (try every possible option). So if 
we want a password that live for 1000 years, and 1000 passwords could be 
tested by second, we will need to perform:
   1000 trials/second * 1000 years * (60*60*24*365.24) seconds/year =
            31556736000000 trials = 3.16E13 trials

Here comes the first application of the log function. That number could be 
converted to equivalent entropy bits by taking the "binary base" (base 2) 
logarithm of it:
     log(31556736000000 trials ; 2) = log(3.16E13 trials;2) = 44.84301 bits.

(2)++++++
Now, the strength of a password is a function of the number of symbols used 
at each position and the number of positions. A decimal number has 10 
symbols (0-9) and as many positions as needed to express the number. A 5 
digit number has 10^5 (10 raised to the 5 power) options, or to say the same 
in a different way: 100,000 possible values (0-99999). A 5 position base64 
string will have 64^5 values, or 1,073,741,824

Here comes the second use of the logarithm function. If we take the 
logarithm of such number, the exponent becomes a multiplicand, and we get:
    a = b^n    ===>>  log(a;2) = n * log(b;2)
Setting t as the number of trials and s the number of symbols, we could 
write:
    t = s^n    ===>>  log(t;2) = n * log(s;2)
Then the number of needed positions (n) becomes:
    n = log(t;2) / log(s;2)

That brings all the complexity to just one function, that function could be 
written in a cell in any worksheet program.

(3)++++++
Bringing both items together, we could ask: what is the length required for 
a password that lasts 1000 years at 1000 tests/second in ASCII (95 symbols):

     Trials    Time     Total  equivalent      symb
     per sec.  Years    Trials    entropy        95
     1000      1000     3.16E13     44.84        10.36

sec/year is: 60 sec/min * 60 min/hr * 24 hr/day * 365.24 day/year = 31536000

(4)++++++
As the Enscrypt could be made to last 1 sec, we could write this table:
(rounding up to the nearest integer the number of characters):

     Trials    Time     Total        equivalent      symb
     per sec.  Years    Trials        entropy      95  64  52  32  16  10  
      1         100       3155673600  31,55        5   6   6   7   8  10
      1       1.000      31556736000  34,87        6   6   7   7   9  11
      1      10.000     315567360000  38,19        6   7   7   8  10  12
      1     100.000    3155673600000  41,52        7   7   8   9  11  13
      1   1.000.000   31556736000000  44,84        7   8   8   9  12  14
      1  10.000.000  315567360000000  48,16        8   9   9  10  13  15
      1 100.000.000 3155673600000000  51,48        8   9  10  11  13  16


The numbers may seem small, but are accurate (AFAICT).
We could include a factor of 1000, and still get:
     Trials      Time     Total        equivalent      symb
     per sec.    Years    Trials        entropy      95  64  52  32  16  10  
      1000         100    3,16E+012   41,52          7   7   8   9  11  13
      1000       1.000    3,16E+013   44,84          7   8   8   9  12  14
      1000      10.000    3,16E+014   48,16          8   9   9  10  13  15
      1000     100.000    3,16E+015   51,49          8   9  10  11  13  16
      1000   1.000.000    3,16E+016   54,81          9  10  10  11  14  17
      1000  10.000.000    3,16E+017   58,13          9  10  11  12  15  18
      1000 100.000.000    3,16E+018   61,45         10  11  11  13  16  19


So, for example, a 10 character upper and lower case (52 symbols) should 
resist for 100 thousand years without any problem.


++++++++++++++


Note: the Haystack page use a more complex formula to calculate the "Search 
Space" or number of total trials, exactly : b*((b^n)-1)/(b-1) (sum of a 
geometric series) b=character set, n=number of positions. Not far from this 
calculation anyway.

-- 
Mark Cross @ 02/10/2014 11:15 p.m.
Eagles may soar, but weasels don't get sucked into jet engines.

0
Mark
2/11/2014 3:17:50 AM
grc.sqrl 459 articles. 0 followers. Follow

6 Replies
437 Views

Similar Articles

[PageSpeed] 18

--nextPart1945325.py4hMg1fq9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8Bit

Mark Cross was heard to say :

> There is an aspect of SQRL which has not been tempered by reason:
> 
>     Password length.

Probably the idea is better understood with a worksheet, so here is one from 
LibreOffice. It has been modified to fit the space contains of this server 
but should work.



If anyone could confirm it works, it will be appreciated, thanks.


-- 
Mark Cross @ 02/11/2014 8:06 p.m.
The difference between greatness and mediocrity is often how an individual 
views a mistake... — Nelson Boswell



--nextPart1945325.py4hMg1fq9
Content-Type: application/vnd.oasis.opendocument.spreadsheet; name="PasswordLength-e.ods"
Content-Disposition: attachment; filename="PasswordLength-e.ods"
Content-Transfer-Encoding: base64

UEsDBBQAAAgAAHcATESFbDmKLgAAAC4AAAAIAAAAbWltZXR5cGVhcHBsaWNhdGlvbi92bmQub2Fz
aXMub3BlbmRvY3VtZW50LnNwcmVhZHNoZWV0UEsDBBQAAAgIAHcATESZBz0MvgMAADkcAAAMAAAA
c2V0dGluZ3MueG1s7ZlLc9owEIDv/RWM78RAUlo8gQ6h00KbthlM0sdN2AtoIms9koxDfn1lGzqJ
azeOsTo99ARY0rfr1Wof4vzNXcBaWxCSIh9a3ZOO1QLuoU/5emhdL961X1tvRi/OcbWiHjg+elEA
XLUlKKWnyJZezqWTDQ+tSHAHiaTS4SQA6SjPwRD4YZnzcLaTCsue3DHKb4fWRqnQse04jk/i0xMU
a7s7GAzsdPQw1UO+ouuqorLZD0Uh4i9ByYJMmVRYr9M5s7PfVmuv5APT9KzRwQ6H1x+d7wVkH22q
IEhs09o/TlQbWlqks6UQ/7KaVbTu8ZobKumSwVgAWWBoHQbVLtSDlCtrdNbrn9u/Y56FvoSVKmL3
Bq+PZn+lvtoUwvuDs5dH46dA15tC5bvdTudVVX47IGGbch/uwM/Lgrh4p9I12sfErorGEM/8nJpS
Ce0G1ihxiu6zNE2gOT0XRFvkKUUfL5l2K3jgJBISxRVKqvQB+FbogvV28TH5exG58v7lXgwFvUeu
CHNDRtUn9CFv+g0Kze/U9D8Qinqm6DntDwYqsk8T+hvgjz1Ft5DS54SvS8zTqwc/6FsWtGrqfMDO
y+LJkdyS8H0k9QKVwqBB8A/EYKEpjXp0Ar0hLMpTszjdqWsDsoYkrv6R3q8JdzcYvxc0H7KXiAwI
t0ZKRFBMLnj4MFOUDachverRSoN9STaZVk4lpWHHE8jYkojy3P3qv3sd7V6JgAtdwtxeCUhKgDJX
WxEmS3ytipgfIDDVXz7fl6vwP6Myha53AJ8iJ9QJMhQ5NMPk+HR7/dNe72XNovrRvhqwypRIrXoU
8DnGUyC+bkuMCHE3AEpHGQP0mfwSKd3KgbsLlsikC/l024gQl5NwgXMiFeQ3uomTlYFnct+KGJMw
B6n3u7T01tGtZgTK4wvr72PxbrT06ZbKUvUbghcrX9d1Mvz4jkp3x72NQE7v4e9VAvs2tHiCBFX9
tiF7EAmSbPBzrh0MxvWZfLu/m3E3RJSb9YiTM2ZMR2FdDakPuJwQ7gEzk59MplaTWeoSiT/X2QM5
2xmw/3XoEwXvhC71IAiZ/m7G/CYTrbnywyVbuMmuE7/wCUNpInnM5EcQfCwp4VcR91REClr8JgRN
9CEmng6XEwxCATJ5rcYL/HGkcEKYF5nxpTRUgPisfxT3VHZlhi5monyfvyQS+mcXlBOxq4JqLgE9
LemvVElGqwDDFYzh+stkAXlJ+W0WisuvKE//wQJsHIZsdy1BvCWK/G+hTLVQpdWl/du/W3bZ/36j
n1BLAwQUAAAICAB3AExEEsdUUMkPAABTvgAACwAAAGNvbnRlbnQueG1s7V3rktu2Ff7fp9hRPJ04
kSgABG8brzt14uw1Sds4mXY87gyXwmpZU6RKUnvprzxI+3J5kgIkRYFaUktQICnZkj1rCwfE+Q4u
5zs4JLiv/vQw847uSBi5gX8ygAoYHBHfCSauPz0Z/PLu+5E5+NPrP7wKbm5chxxPAmcxI348cgI/
pv8e0av96DiVngwWoX8c2JEbHfv2jETHsXMczIm/vOqYr32c6EpLovjRq315Upm/OiYPcd2LWd3C
tfZ1fc1JZf7qSWjf172Y1aWdyl9+E9S9+CHyRjcB7fXZ3I7dNRQPnut/PBncxvH8eDy+v79X7lUl
CKdjaFnWOJHmgJ283nwRekmtiTMmHmHKojFU4HhZd0Ziuy4+VpeH5C9m1ySs3TV2bD8Z1XlIIlqF
mssmZr2G+GsK8+tuWnt23U0rutm5tcPa8yypXJwq6qT+VFEn/LUzO76tGF9z/AMVJj9+uFrNq3BW
VxerW+gqJ3Tntc1Ma/PXB0GQQ2UXpIs9gYsAwOP0O1f7fmP1+9CNSchVdzZWd2zPyXs8mJV1Gq0H
x7TGiNyxKZ8vItYRUcUFaJyK88rRpLLpv/9w9bNzS2b2qrL7fOWR60ex7a96JmSDUGmpNg7JPAjj
vGNu6jtfOloox3Ybz7xq18Gky6rTcDIprUrhqGPqRugiHt255P6Lgm/dPB+scVIpn7gu8ZarJK+b
mUMe5iR0mSW2xybCaBbRTqOTI5gfc1cX/Ws4e6jXHJsQweRmvcW1xeFEkRqX9cG7v42ZbMTohTrQ
TBNHq2jwesmh6ZqJxnnBDeXS0Y3tkNGEOF70+lXqC/Pio/Q7w30yeHcbhP7EZn1GXdWy0sz1Hosy
vgkmHU2JTw2myycMZrZfqDF3Y4c6mDs7dJPRGG+GcOVS35742KOfbT8qAfJHex5E36zVSws3Qovu
3SjaBtobN47ikNizo1+p6s3wSurWgfgYxWS2DcbvyL/sXxebsXF1usEUBu7kGUh5lU4QfR8SUoGH
E22LYFy1BLNyexHT1RK7zihpJ1+byc8CXieAubIMZ+LaaDDhLWb+YHklXziaU1dDwtgl0dFNcHxN
J+PH0TWhXoc2yFQvW8yq37sTFggABVmmM0vwc3A2YUNdYUMUmyaGTe0OmwYEseGusGEFY0MMm9YV
NlUBqhg0vbshBZYuhs3ocCloQss0rHIhYXC/BoyW8KhSESu8Je70NmY+AiM2nzYDXkRkFMxjd2Z7
I/7qOFwQEdwV7qURbg2ijnDHdnl/LwtndFNKwtHcnpLRkrpv7IUXrxnFGZRmCCZuNPfsxwxP1hrb
ydD9/2gWTGhLXjiKr59CTffN2fZ59BTyj3iwVuko+0Z5K+kOqtghdB9DhySTzFw/CWuntMWJO6VR
Dw1Ic+k0DBbzJNmTd14JiFwpC3DLcEEABsVKWYaIa3B17Yb1SapolHjeUjK3Q5aDSr5sHBl20frq
DcIJteo6iGO2P/QDPx+hBJ/tuVN/FAWLkCW0btyHpZRuuIidm0VFtheRAdekR26SCQz0eXwUBR6N
lr4AyYevFS7n+eZqcTCvqJTHTbQX7Gloz2/XLFyZwbrTT7bPtHhmh1M6EzKUQj6TVIUP7YxJed/s
6BglE6iPMakKm2SNie18ZL7BnzAWDMKTwReOc0M/ckZihyZ3VYxXryOzGkn2g5dnHrFBLwP2J2/X
taeBT/36tTeKw6K/ymUxFYdyfNk97fOEWlnawg9G7Hth2FIltGBuT9KbBHQgVRZW52ye5l9Htj9l
qXXwVJAOHw/3jnWJQ03JZPm+S+qM4Lqm2May70t8TbCIPdcneR9xIlY+im/p8E1v07EvGpVsKp9k
bai6RBC5/6ECiOYxV7ZsJKRUPsiti27tCcuTPhlgOm9ImMAoqF82d5+FRdeBNymAYrpHduTa/hIB
L0xmcSZdQuHkaavLCuVtswy6Rx4qW8/l1e3nVXgN6ZDclRldViEb16TZ5P8ifqFqf9WJXyiLUvbQ
X2Trb4PTeIZ1ic7+NPQtZVR9cDgHh7OjDqcqa9JllN0wVC5db1URXt3+qMrU9OCAi6ZYyedzccg8
qoMDPjjgT9cBm+04nG3dzTIGOribg7vZTXdTsqYlOpyq1mW6nGKVLp2OdXA6nNO5s70FnfOPc/JZ
+Z6Dyzi4jPouA4Jd8Rm9JKY+FR9Rvqk8+IyDz2jDZ7R5X327PcTO3RGEu3C/u9JHdZB5g23fXH5m
xGvj3O7ebacDtdUTH7U7pKWbVng/dxOHFMYhhXGILdqPLba7cyXR63xON8p3ZiNy8DoHr9OH19nu
/rBU1yLxychP+TliuN0dNnnx+t4NYW+PGcOW7k9AYH5eSQX0eSdtD0HSIUg6BEktBUnjyuPKmeA6
mDyuXkAwD4k9iW4JiV+/Sk+sJT+z02vpkJ/BQfad9zbsyFzhmuyIZEnV5EB0dh4u9WGpaypzbuPa
baIW2lRbaBO30KbWQpv6ss3stF9aNRqlPppMTgZGU61hcF+ikh1yXUNH23sOBETJpF9rvrm+9Q5a
QSh0DzuMuHyXR37T8WQQxSGlHdYse5vU/PW70KXelcJLvxZxsralavsHscPOlL2j1Oh1peztvxcu
lVMWlKDRKFV54wV2XJScDCxthcHSutWt45VuHXerW0Mr3RrqVrfK6VY71o30lW6kd6sbcrph17oB
pxts1N29q0W1XASNeo8iQrcOk+27Dj3hye2wyaKBetre+jHdBDxKmEFmLX1/jhzX7UzbGzsiUtxh
PXVXwT0Jx7/M6fTq1EQpnk/AxM60nZGHznR9l776ond/Vhm9orKtVHKCv77nBgXfDTZ773q9m+/P
2GvuFp59Mghujk/eK2/wh6/eK9/SnzpgfxH+StU1BWkC7A41zdBB9uGYvlDemg1XP51++V75Dn/4
Br2sDxpjxcQq0JCBMNA1awUb42EugRJQqxU9/+LtC/xhnKL/Homh1xUTsc7VATIh4MMrfbiSdAT+
VBC8oWBDNTGCCOiGoXPxuDHMJUZH4M+EwZs6nS6aamgq7XuLB7+SdAT+XBC8qVi6qUOgYWxClUaT
OXhzuJJ0BP5CELylaBhAE2FLV1XA7aSs4UrQEfZLQewQKggCQ1chXa6Qn/IQDnNJR+CvRMGrCrYs
6mYs3QAmv4+E6jCXbEbflJKLbEvr8VSr7kBy6Tl9uPa+A5aHCOsB0M+Ps+tASgKqKiSgZNRjOqUK
1akIKumJlipUZyKopKdgqlCdi6CSnpypQnUhgkp62qYK1aUIKukJnSpUV0Ko+kj1dO74/hJELrtx
257r++svP707f/vjOxaQ0+0EfPl1eSq7PDDkIsEuEJ4KIzS5cK8LhGc7j/BcGCEX71tdILwQRijg
DCRhvBTHyMeQ7VEOh/FKHCMXQsDNIUR3TrV+Fluvl7mzH6PYdj4esffeHv3+238jYofO7VE0tx3y
+2//kzA09SFDMcqoil2/+jJNqPyT/rQ+vBzBl+O0gP5PwJ0DlkTBUEc65mPcYnmLO7bTzJLTxJLT
lSWngpYgU7MwMlUVm6qJOe+wJmjRlrPMlrPElrOVLWeCtmhYA4almRpAus6ZUixv0ZLzzJLzxJLz
lSXngpaodMdvqRqk3a8XIvBCeYuWXGSWXCSWXKwsuRC0BGLdhKphWJiOQIF9ioIWbbnMbLlMbLlc
2XIpOioAINWyDA1qZiGtuiZo0ZarzJarxJarlS1XouNS+PDjUhR8otT29sF24iOP+NP49hNhtpTR
BLIgFvUiBrJ0YKkGx2HF8nY5LOUuEbaC2MCWoRsQ6BqfBCgK2mWrlKUEeEnFmmVQQlUh5kEXy9vl
pZSPBHwdJRlMpwEwTbPg6grl7TJQyjwiXAOhbgBL0zU6g/lkTFHQLtekHLNXczpnE7Hb0NyneEea
+3yi/PFka/TIHsXcZeawqpgDgg/jL9du778cv1devHmBRaYxUnUFq6YJDRrR6ZzLQAoVDWXk2ats
OJVkgwV0oFgm1KGB6OrjEk6WAnQ4lBGlVtlwJskGCt2gVyIajWqWZvB5CoWKhjJuglbZcC7LBqgB
xbSACQG1pGgDFQ1lJNeqbLiQZAPWNTrx6VJQdUru/KMAWKGioQzurLLhUtZ60CBWgApoSAhMi38M
xlKoqNX1cCXJBlVDbC6ZOtYBUPk1rSpU9MxcauXONO74zjTa4llc3OnzruVPMLd07KGeMknHHuop
k3nsocdTDz0eeujxzEOPRx56PPHQ44GHXTrvsI2PLX+ats3zDmbtfUO9565l+f962qSdd+j0uEO3
px1qnwRgRx26NE6Gu+v0mEOHpxz6PuQg34l1doTBElJf0C5FeVq8tof5Flrs/MQb9k9xJ1MeVlce
oNANVS85P5EXS9iHaaU2ZMcnqAFi5ycg3VtBYGoQ0a0jULnNLxzKiLXMzY90pLBfMNwvl4coXqAP
L3t9aksc8+keYj5rgFnuk13imM8bYJb7rJc45os9xHzZADOE/L3pPlBfNUHNuTy4OeXaC1WX0hXj
qd5ZvJpI2e862ElwCCQsz/6Rw/JVNN86z1MTmpyThCpCWDf5W67JOcnOVivFvXc8z2FuwvO9cCaH
eW94nsO8NzzPYW7C87Kf8hZH3YjpJT/3/QxqdovJ2rnnvlvhdTowO0ydory+/rBJm/BgyuxQGrNX
Unv73A4Fud1UoI4tDFVoafwDgtgcysje13UqcCtq74dy4FbU3g/lwK2ovW/MTai9L5qE25F7Pxti
DnUjcq+/IZZE7mwvI4iRf/PC5tvgu0TucGfJHTYg9yePkrYJEKX0jrahdyWj8bdfA34CrbF7+/Qu
+N4ODSrY1E2dEjzGOuKWpwaHuEMfjvaQ39Ee8jvait/74kq0HcP3xJVoLxke7RvDQ2GGr/8E0i4x
vNjrPrpkeNSE4Z+eFmkToppyvCqL4/Vqjm+f5FVBkseKCUzDMjRgqdji8twaHsp4pVhd16JuRfL9
EKa6Fcn3RZjqXtK8upc0r25H893mu0tQN6L5+hlwWTSPhGmec3Rw8x29XaJ5dWdpXm1E8yWnQtsE
iVOif/Ky4qZEb2wg+vaZXvCNxZqpQBUYSNMBRqrBOUTNHHYQjufeBe8h0+O9ZHq8HdP3xJl4O6bv
iTPxdkzf7da4BHUjpq+fDpfF9Kow03P5P7g5AdjL2ckKphc6DN3GC//BJhZtQvVlb4BoFaeWsr0m
i+3NTWwvwxR9I91rgq/4hwrWkK6pumVBhPlDlHCIJSxWVN7zT32MthXfy+bOBrAbUb5k8mwAexc4
vwHsRqQvmT4bwG7E+pJ3yg1gN6J9yad0n4PNeF/8/avcRgH28AoHCLCpaaDjFznI/H2ZfMmyVaZn
MiIP85BEEXuZNrsy6/jCr4pdFqa/THb5bRI4ixnx89/n/Pr/UEsDBBQAAAgAAHcATESWkiMXOAMA
ADgDAAAIAAAAbWV0YS54bWw8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCI/Pgo8
b2ZmaWNlOmRvY3VtZW50LW1ldGEgeG1sbnM6b2ZmaWNlPSJ1cm46b2FzaXM6bmFtZXM6dGM6b3Bl
bmRvY3VtZW50OnhtbG5zOm9mZmljZToxLjAiIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9y
Zy8xOTk5L3hsaW5rIiB4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8i
IHhtbG5zOm1ldGE9InVybjpvYXNpczpuYW1lczp0YzpvcGVuZG9jdW1lbnQ6eG1sbnM6bWV0YTox
LjAiIHhtbG5zOm9vbz0iaHR0cDovL29wZW5vZmZpY2Uub3JnLzIwMDQvb2ZmaWNlIiB4bWxuczpn
cmRkbD0iaHR0cDovL3d3dy53My5vcmcvMjAwMy9nL2RhdGEtdmlldyMiIG9mZmljZTp2ZXJzaW9u
PSIxLjIiPjxvZmZpY2U6bWV0YT48bWV0YTpjcmVhdGlvbi1kYXRlPjIwMTQtMDItMTBUMTY6Mjk6
NTg8L21ldGE6Y3JlYXRpb24tZGF0ZT48ZGM6ZGF0ZT4yMDE0LTAyLTExVDIwOjAzOjQ3PC9kYzpk
YXRlPjxtZXRhOmVkaXRpbmctZHVyYXRpb24+UFQxSDEyTTE5UzwvbWV0YTplZGl0aW5nLWR1cmF0
aW9uPjxtZXRhOmVkaXRpbmctY3ljbGVzPjM8L21ldGE6ZWRpdGluZy1jeWNsZXM+PG1ldGE6Z2Vu
ZXJhdG9yPkxpYnJlT2ZmaWNlLzMuNSRMaW51eF9YODZfNjQgTGlicmVPZmZpY2VfcHJvamVjdC8z
NTBtMSRCdWlsZC0yPC9tZXRhOmdlbmVyYXRvcj48bWV0YTpkb2N1bWVudC1zdGF0aXN0aWMgbWV0
YTp0YWJsZS1jb3VudD0iMSIgbWV0YTpjZWxsLWNvdW50PSIxNzAiIG1ldGE6b2JqZWN0LWNvdW50
PSIwIi8+PC9vZmZpY2U6bWV0YT48L29mZmljZTpkb2N1bWVudC1tZXRhPlBLAwQUAAAICAB3AExE
AAAAAAIAAAAAAAAAJwAAAENvbmZpZ3VyYXRpb25zMi9hY2NlbGVyYXRvci9jdXJyZW50LnhtbAMA
UEsDBBQAAAgAAHcATEQAAAAAAAAAAAAAAAAaAAAAQ29uZmlndXJhdGlvbnMyL3Rvb2xwYW5lbC9Q
SwMEFAAACAAAdwBMRAAAAAAAAAAAAAAAABgAAABDb25maWd1cmF0aW9uczIvdG9vbGJhci9QSwME
FAAACAAAdwBMRAAAAAAAAAAAAAAAABwAAABDb25maWd1cmF0aW9uczIvcHJvZ3Jlc3NiYXIvUEsD
BBQAAAgAAHcATEQAAAAAAAAAAAAAAAAaAAAAQ29uZmlndXJhdGlvbnMyL3N0YXR1c2Jhci9QSwME
FAAACAAAdwBMRAAAAAAAAAAAAAAAAB8AAABDb25maWd1cmF0aW9uczIvaW1hZ2VzL0JpdG1hcHMv
UEsDBBQAAAgAAHcATEQAAAAAAAAAAAAAAAAaAAAAQ29uZmlndXJhdGlvbnMyL3BvcHVwbWVudS9Q
SwMEFAAACAAAdwBMRAAAAAAAAAAAAAAAABgAAABDb25maWd1cmF0aW9uczIvZmxvYXRlci9QSwME
FAAACAAAdwBMRAAAAAAAAAAAAAAAABgAAABDb25maWd1cmF0aW9uczIvbWVudWJhci9QSwMEFAAA
CAgAdwBMRHdbffITAQAA4QMAABUAAABNRVRBLUlORi9tYW5pZmVzdC54bWytU8FuwyAMvfcrIu6B
racJNe2h0r6g+wBGnBQJDMKmav9+SaU2maZMq9abjZ/fexiz2Z2Dr06QyUVsxKt8ERWgja3DvhEf
h/f6Tey2q00w6Dog1regGvqQ7mkjSkYdDTnSaAKQZqtjAmyjLQGQ9Xe8virds5mBtdiuqkmvcx7q
oT9fJnRXvK+T4WMj1BLJdBygdabmS4JGmJS8s4YHmDphK6+G5dynpJTBtHQEYKEesXI4lvCJxnlS
fAtlwn7BigumBzXWH1IhYB7ehuQwzwVmhjOrsfwQsY3I4/2fzUt88fB8uwHYPJ10H7FzfcnXBaG1
MtaChyGNWdmS8+/z+Z/WHzeWCo4WZHHSzhlG8Y368U23X1BLAQIUABQAAAgAAHcATESFbDmKLgAA
AC4AAAAIAAAAAAAAAAAAAAAAAAAAAABtaW1ldHlwZVBLAQIUABQAAAgIAHcATESZBz0MvgMAADkc
AAAMAAAAAAAAAAAAAAAAAFQAAABzZXR0aW5ncy54bWxQSwECFAAUAAAICAB3AExEEsdUUMkPAABT
vgAACwAAAAAAAAAAAAAAAAA8BAAAY29udGVudC54bWxQSwECFAAUAAAIAAB3AExElpIjFzgDAAA4
AwAACAAAAAAAAAAAAAAAAAAuFAAAbWV0YS54bWxQSwECFAAUAAAICAB3AExEAAAAAAIAAAAAAAAA
JwAAAAAAAAAAAAAAAACMFwAAQ29uZmlndXJhdGlvbnMyL2FjY2VsZXJhdG9yL2N1cnJlbnQueG1s
UEsBAhQAFAAACAAAdwBMRAAAAAAAAAAAAAAAABoAAAAAAAAAAAAAAAAA0xcAAENvbmZpZ3VyYXRp
b25zMi90b29scGFuZWwvUEsBAhQAFAAACAAAdwBMRAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAA
CxgAAENvbmZpZ3VyYXRpb25zMi90b29sYmFyL1BLAQIUABQAAAgAAHcATEQAAAAAAAAAAAAAAAAc
AAAAAAAAAAAAAAAAAEEYAABDb25maWd1cmF0aW9uczIvcHJvZ3Jlc3NiYXIvUEsBAhQAFAAACAAA
dwBMRAAAAAAAAAAAAAAAABoAAAAAAAAAAAAAAAAAexgAAENvbmZpZ3VyYXRpb25zMi9zdGF0dXNi
YXIvUEsBAhQAFAAACAAAdwBMRAAAAAAAAAAAAAAAAB8AAAAAAAAAAAAAAAAAsxgAAENvbmZpZ3Vy
YXRpb25zMi9pbWFnZXMvQml0bWFwcy9QSwECFAAUAAAIAAB3AExEAAAAAAAAAAAAAAAAGgAAAAAA
AAAAAAAAAADwGAAAQ29uZmlndXJhdGlvbnMyL3BvcHVwbWVudS9QSwECFAAUAAAIAAB3AExEAAAA
AAAAAAAAAAAAGAAAAAAAAAAAAAAAAAAoGQAAQ29uZmlndXJhdGlvbnMyL2Zsb2F0ZXIvUEsBAhQA
FAAACAAAdwBMRAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAXhkAAENvbmZpZ3VyYXRpb25zMi9t
ZW51YmFyL1BLAQIUABQAAAgIAHcATER3W33yEwEAAOEDAAAVAAAAAAAAAAAAAAAAAJQZAABNRVRB
LUlORi9tYW5pZmVzdC54bWxQSwUGAAAAAA4ADgC4AwAA2hoAAAAA

--nextPart1945325.py4hMg1fq9--

0
Mark
2/12/2014 12:09:44 AM
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--sU7wtwaRJLHrBtba2ELWOmN9XpOetneDB
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

Am 12.02.2014 01:09, schrieb Mark Cross:
> If anyone could confirm it works, it will be appreciated, thanks.

What do you mean by "works"? It opens up fine with LibreOffice 4.1.5 ...

Best regards,
Karol Babioch


--sU7wtwaRJLHrBtba2ELWOmN9XpOetneDB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJS+szRAAoJEHSaZc1HnzIVKfoP/iYb2E0ypg5qLn8vOWE7QVc6
7XQAZmCd1j2Le4h3beMk7q0hUQmlL1MJHr0DBc9MaU1driEF7GegwxuhGo3l40bM
vgdqmWLMdk+KKx5fNgaBbXfrPmbJjx8vhSy7/LRBx7/yLh9oAEGhhijD9uN7Nw7n
Z0cssks2y9+dQL91FfEaYnQsUfxU1Zq39CEOKQy6ALbV02jFlK4MVMmMKDlyOjs0
Zw5LkXyN22zwckJazyZNd0lfn7OJbJEFpmv7ykf66f5X+q78ZyvN0ChecHBGAB46
zajMdo1rUun0cU981X+dYeFwo/GlVZIqpyN4TCP+yZ9LlFg/awaBqPZqEPtOCPhr
8DBqr+Id0T1GOMrhE4nHO8FTszzGuoin/RQZyOoTEGBe5DQFemfB72OL00aOzK9C
wyzdZRyGx1i9uJkbPBgX99Mv2Y7/pENBPs/Tgx9pd55tAuVA9G/LvbkTPElXgjcX
ucgF8/fdsWBXRZV0yl3PRAgmwMuzJTqcd7hn0a49fsK9RMV5q5/M2qoru5dc7X5i
ZSG5HBNK6usgM/p39yKoaNIr89eWdQFto0vmGrDX5xEu6FLY+S9wawpdh8YSaH6g
GexXNgJXMEoWLdkSIORuw9QwQ1HB6Ll7xtOfk2H5TR3QyINqqeXbtn5sOUjD+OHE
+aFCTQzn2L2+J34pOOVA
=52qu
-----END PGP SIGNATURE-----

--sU7wtwaRJLHrBtba2ELWOmN9XpOetneDB--
0
Karol
2/12/2014 1:22:21 AM
Karol Babioch was heard to say :

> Hi,
> 
> Am 12.02.2014 01:09, schrieb Mark Cross:
>> If anyone could confirm it works, it will be appreciated, thanks.
> 
> What do you mean by "works"? It opens up fine with LibreOffice 4.1.5 ...

Just that !!

And that there are the correct formulas in the cells and it is editable and 
you could play with the numbers.

The blue cells are intended to be modified as needed !!


But otherwise, just that is a correct worksheet file.
The point being that I had to erase several components of the internal 
compressed original file to make it small enough for this news server,
I was not sure it would work (open) correctly in some other computer.

Thanks !!

-- 
Mark Cross @ 02/11/2014 9:25 p.m.
I'm a nobody, nobody is perfect, therefore I'm perfect.

0
Mark
2/12/2014 1:30:12 AM
On 2/10/2014 10:17 PM, Mark Cross wrote:
> There is an aspect of SQRL which has not been tempered by reason:
> 
>     Password length.
> 
> In designing the user password needed to unlock the password system (SQRL) 
> we have been guided by opinion, not facts. I hope to solve that here.

http://www.GRC.com/groups/sqrl:5001

There is still room for some conjecture, simply because we don't yet
know what advances will be made at performing Scrypt.  Yes, there are
indeed physical hardware limits to searching vast areas of memory, *but*
can we predict with any accuracy what the state-of-the-art Scrypt speed
will be in 10 years?  What about 20?  We can't imagine what we can't
imagine.

I will say this, however: if people obtain the technology to do 100
trillion guesses per second on passwords EnScrypted for 1 second or
longer, it's possible that our fundamental encryption technologies may
be at a higher risk of failure than our EnScrypted passwords/passcodes.

In all honesty, we don't need to resist *all* future attacks; just those
we can envision plus some reasonable safety margin.  If a paradigm shift
occurs due to unforeseeable technological advances (redundant, I know),
then everyone will simply create new identities on a hardened SQRL5
platform, just as they will stop using the cracked TLS1.5 in favor of
something else someday.  Yes, SQRL will be much more entrenched than an
SSL version (though history suggests otherwise), but we cannot plan for
all futures and trying to do so is counter-productive.

Yes, we want to be well-protected from unknown attacks, but we also
don't want to "waste" entropy that merely clogs up usability while
providing no *relevant* security whatsoever.  Loss or theft, not brute
force, are the biggest threats to SQRL Access Codes *and even* user
passwords!

This is why SQRL has been so difficult to design, IMO; our dependence
upon first-party responsibility means we *must* eventually hand over
responsibility to those parties.  The website authentication part was
fairly straightforward right up until that pesky *first-party* started
asking for revocation privileges!  Try as we might, we cannot create a
user-proof identity solution.  If users want to be responsible for their
own online identities, then they must backup their keys in a secure
location.

-- 

 RobAllen
_____________________________________________________
0
RobAllen
2/12/2014 3:40:59 AM
Worked fine here. This spreadsheet is COOL!


Disclosure: --Not a dev. Just an occasional lurker.--

Like the Haystacks page, your spreadsheet brings great visibility to the 
effectiveness of a password you might be considering. From this, I've 
learned that when you can use some means to put the brakes on the rate 
an attacker can make trials, the effectiveness of a given password 
length goes up dramatically. So a really long and or complex password is 
necessary only when your attacker will be more or less unbounded in 
their ability to bring conceivable computing resources to bear on a 
brute-force effort (e.g. a website from which where an attacker 
exfiltrated the encrypted password database).

Take from the table in your original post, the /seemingly/ weak password 
of length-5 from the full ASCII set, with the equivalent entropy of 
31.55 bits. If you had the power of today's Bitcoin hashing network 
(crunching 22606 Tera-hashes/sec), you could crack that flimsy thing on 
the order of (2^31.55/22606E+12) = 139 ns. But, slow the trials rate to 
1/sec, and you need on the order of 3 Gs (100 years) to complete a full 
brute force.

So what you're saying is: since SQRL eliminates the need for the website 
to keep something like an encrypted password database, and the design of 
the system incorporates a method for fixing relative upper-bounds on the 
achievable trials rate, it's not as important that a user of SQRL fret 
too much about the length of the password safeguarding their ID key.

Have I got that?
Good demo.

-- 
OpenPGP 0x06b4de19 (http://keyserver.pgp.com; http://keys.gnupg.net:11371)
0
Andrew
2/18/2014 8:44:01 AM
Andrew Skretvedt was heard to say :

> Worked fine here. This spreadsheet is COOL!

Thanks, I am happy you like it.

> Like the Haystacks page, your spreadsheet brings great visibility to the
> effectiveness of a password you might be considering. From this, I've
> learned that when you can use some means to put the brakes on the rate
> an attacker can make trials, the effectiveness of a given password
> length goes up dramatically. So a really long and or complex password is
> necessary only when your attacker will be more or less unbounded in
> their ability to bring conceivable computing resources to bear on a
> brute-force effort (e.g. a website from which where an attacker
> exfiltrated the encrypted password database).

Your description is excellent and exactly the point I was trying to get tru.
Thanks for sharing your thoughs on the matter.

> Take from the table in your original post, the /seemingly/ weak password
> of length-5 from the full ASCII set, with the equivalent entropy of
> 31.55 bits. If you had the power of today's Bitcoin hashing network
> (crunching 22606 Tera-hashes/sec), you could crack that flimsy thing on
> the order of (2^31.55/22606E+12) = 139 ns. But, slow the trials rate to
> 1/sec, and you need on the order of 3 Gs (100 years) to complete a full
> brute force.

Yes!

> So what you're saying is: since SQRL eliminates the need for the website
> to keep something like an encrypted password database, and the design of
> the system incorporates a method for fixing relative upper-bounds on the
> achievable trials rate, it's not as important that a user of SQRL fret
> too much about the length of the password safeguarding their ID key.
> 
> Have I got that?

Yes, you have get it very well. :-)

> Good demo.

Thanks again.

-- 
Mark Cross @ 02/18/2014 6:20 p.m.
Everybody wants to go to heaven, but nobody wants to die.

0
Mark
2/18/2014 10:23:10 PM
Reply:

Similar Artilces:

SQRL Signature Length
Ok, I've been looking this over for a bit now, so I hope I'm not missing something, but I think there has been some confusion over the length of the signature that the Ed29915 algorithm produces. In Steve's docs (https://www.grc.com/sqrl/details.htm under "SQRL Client Parameters") he says this about the sqrlsig parameter: "the value for the sqrlsig parameter is generated by the Ed29915 elliptic curve public key signing cryptosystem. It is initially a 512-bit, 64-byte array...". However, in my understanding of the NaCl docs (http://nacl.cr.yp...

length and bytes::length
Currently, under C<length>, perlfunc reads: Note the I<characters>: if the EXPR is in Unicode, you will get the number of characters, not the number of bytes. To get the length of the internal string in bytes, use C<bytes::length(EXPR)>, see L<bytes>. Note that the internal encoding is variable, and the number of bytes usually meaningless. To get the number of bytes that the string would have when encoded as UTF-8, use C<length(Encoding::encode_utf8(EXPR))>. There was some talk to excise the bytes::* functions from the document...

Content-Length and string.Length
I have httphandler what processes some text and then output it to user. Everything is fine except Content-Length property. I use following coderesponse.AddHeader("Content-Length", resultString.Length.ToString());  But, I experience problems that actually content length user receive is bigger then Length property return. What to do? I need this working till tomorrow morning :( For now I have following workaround: byte[] s = Encoding.UTF8.GetBytes(resultString); response.AddHeader("Content-Length", s.Length.ToString()); response.BinaryWrite(s);   If your respo...

Length
I am writting a news page for an Intranet site I have got it showing a title picture and the story from the database but I only want to show 1st few lines of the story as I have a bound hyperlink field to send the user to a different page for the full story. How do I or what code do I use to tell it to only load the 1st few lines of text Your answer is here: Creating a Custom DataGridColumn Class Hope this helps, RegardsBilal Hadiar, MCP, MCTS, MCPD, MCTMicrosoft MVP - Telerik MVP You have two options: 1) Show only the first lets say 150 chars using SubString2) Show only the first se...

php-ext-sqrl and php-sqrl
Well, I finally got some time to play with a bit of code! Here's what I'm working on... php-ext-sqrl ------------ source: https://github.com/Novators/php-ext-sqrl PHP Extension that handles ed25519 signature verification and SQRL's (somewhat) unique base64url encoding. Crypto is in c, taken from ed25519-donna. Passes 1024 tests from http://ed25519.cr.yp.to/software.html in about 2.5 seconds on my machine. This would be faster with batch verification, but one-by-one is more representative of actual usage. I'm pretty confident in this part. The base64url en...

How to Fix The length of Html textbox to specified length.
Hi, I have a input Html text box i want that user cannot enter more than 10 characters in that is if he or she has typed 10 characters . He should not be able to type Eleventh character. How can i do that . Plz Help me. RAGHAV MVP ASP/ASP.Net Read My Blog MARK THE POST AS ANSWER IF IT HELPS U. "Success doesn't come to you…you go to it."--Marva Collins "Success does not come to those who wait . . . and it does not wait for anyone to come to it." Anonymous  himake ur html textbox as runat="server" thenin code behind u can set maxlen...

Package length limits/Component length limits
What limits, if any, exist on the number of components per package and the number of methods per component? (Everything below applies to Java components) We have had 2 separate issues. One involved components that vanished from a package every time we tried to install a component. When we created a second package and installed the new component there -- no problem. In a different case, we have a component that installs, but no methods appear. There is nothing noticeably wrong with any of the method signatures. David Wolf had mentioned that signature length might be an issue,...

sqrl://
I hate the idea of further polluting the namespace of URL schemes which is already full of non-standard crap like itms:// and ms-help://. If we're building this protocol on top of standard TLS traffic to standard web servers, then we're using https://, and should just be call it what it is. The fact that this particular https:// traffic is in furtherance of a more specific use should be identified elsewhere. This also separates us from dependence on the underlying protocol in case we want to have it work later over some other protocol. On 10/3/2013 2:35 AM, Lee Daniel ...

Bad arg length for Socket::unpack_sockaddr_un, length is 14 ...
This is a bug report for perl from torsten.foertsch@gmx.net, generated with the help of perlbug 1.28 running under perl v5.6.0. ----------------------------------------------------------------- [Please enter your report here] At 2000-01-27 19:05:03 oloryn@www.mindspring.com reported bug number 20000127.004. I found that bug is still present in perl 5.6.0. To solve it, I believe, line 1010 of ext/Socket/Socket.xs should read: if (sockaddrlen > sizeof(addr)) { instead of if (sockaddrlen != sizeof(addr)) { [Please do not change anything below this line] ...

Why length of CHAR() nullable is not fixed , length of CHAR() not null is fixed
I test the result of jconn3.jar My test result is: if CHAR(7) null, the length is not fixed, if CHAR(7) not null, the length is 7: ===For jconn3.jar jdbc driver=== [OUTPUT FROM SELECT distinct(region) FROM sampledb.dba.states], the region field is nullable region = 'Canada' region = 'Central' region = 'Eastern' region = 'South' region = 'Western' [OUTPUT FROM SELECT region FROM sampledb.dba.sales_regions], the region field is not null region = 'Canada ' region = 'Central' region = 'Eastern' ...

Why does length of input field in InputQuery depend on length of prompt? [Edit]
When using ok:=InputQuery(s1, s2, s); it turns out that the longer the string s2 the longer the input field for entering text, e.g. using ok:=InputQuery(s1, 'aaaaaaaaaaaaaaaaaaaaa', s); will produce much longer input field than ok:=InputQuery(s1, 'a', s); Is there any reason for doing it? I do not see it ;( If string s2 is quite long the fileld becomes as long as is the width of the screen, what is really not nice. Is there any way to use old InputQueries like in older versions (e.g. in Delphi XE) where string s2 was displayed above the input field, not on...

Fixed length column [field name] data length mismatch
I'm using XE4 Pro UPd 1 with FireDAC 8.0.5 I'm porting a database application from dbExpress to FireDAC still using the same SQL Server 2008 R2 database. I have made a basic setup with a data module and set up tadQueries using cascading updates as described in the manual to handle the relations. All queries execute fine in the IDE and the Field lists are all populated. In the program I first open the queries in hierarchical order. All is well: I can see the data I want in controls as expected, also from detail queries. I then navigate to another (existing) record in the maste...

determine if text length > dw edit control length
Hi folks! I'd like to determine (with a dw expression) if a text within a datawindow column/compute single ine edit field is greater then the number of characters that the field can display. The purpose is to set the font to bold (or add some "..." ad the end) or any trick to warn the user that the field doesn't display the full length of the content. regards, Greg There is a Win API function GetTextExtentPoint32 that can determine the length in pixels of a text string. I have an example on my website http://www.topwizprogramming.com/freecode.html called Gr...

Invalid length for a Base-64 char array
Invalid length for a Base-64 char array I am encrypting and decrypting my querystring. I need a way of checking the querystrings length before I decrypt it. When I mess with the querystring, shorten it for example, my decryption method fails. Can somebody help me with the if statement please to check the length of the urlDecode string??????public static string Decrypt(string inputText)      {          if (!String.IsNullOrEmpty(inputText))          {     ...

commandParameters.length don't match parametervalues.length
I am trying to narrow down this problem.  Basically, I added 3 columns to my article table.  It holds the article id, article text, author and so on.  I tested my program before adding the additional field to the program.  The program works fine and I can add an article, and edit the same article even though it skips over the 3 new fields in the database.  It just puts nulls into those columns.So, now I have added one of the column names I added in the database to the code. I changed my businesslogic article.vb code and the addarticle.aspx, as well as the New article...

Web resources about - OverDesign - password length. - grc.sqrl

"The most important thing is obviousness. The problem is overdesign"
“The most important thing is obviousness. The problem is overdesign” - Loren Brichter, a High Priest of App Design - WSJ.

Ron Paulk Bonus Footage, Part 1: On His Design Process, Avoiding 'Overdesign,' and Advice for Design ...
... hearing these side conversations; so we've cut them into short, one- and two-question videos. First up, Ron discusses how he avoids the "overdesign" ...

Japanese overdesign fetish: Beetle 3-Way Highlighter
The business end of KOKUYO Beetle Tips highlighter looks a bit like a rhinoceros beetle's horns, hence the name. Three-way refers to the fun ...

Twitter
Log in Sign up You are on Twitter Mobile because you are using an old version of Internet Explorer. Learn more here Mike Godwin @ sfmnemonic ...

Light rail - Wikipedia, the free encyclopedia
operating mostly in private rights-of-way separated from other traffic but sometimes, if necessary, mixed with other traffic in city streets. ...

Be seen, read, heard
Making a name for himself, Seamus Byrne talks online, shows his home video and publishes that book. -

Errors Businesses Make When They Don't Use Redding Website Designers
Here are common reasons it’s better to work with professional website designers in Redding before you waste time, money & energy on a poor design. ...

GM and Segway's PUMA live reveal
Click above for a high-res gallery of the GM/Segway Project P.U.M.A.You know how the oil companies are all trying to become energy companies ...

Little-known contractor has close ties with staff of NSA
When the National Security Agency went shopping for a private contractor to help it build a state-of-the-art tool for plucking key threats to ...

eestortruth
"Since communicating infrequently with B offline has led to some apparent misunderstandings, I rejoined specifically and only to make this post, ...

Resources last updated: 12/8/2015 11:09:51 AM