Are previous articles on Master Password still relevant?
Dear Sir/Madame,
As per your article below, is it still recommended to use the Dice method with our own inserted string (or word)? And if so, how many words should we use?
Thanks,
Ken
https://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/
PBKDR2 Interations 1000 Iterations 25000 Iterations
GPU Acceleration No GPU GPU No GPU GPU
Guesses/second 5000 1000000 200 40000
3 words (39 bits) 544 days 2 days 17 hours 37 years 68 days
4 words (51 bits) 11,561 years 58 years 289,000 years 1,445 years
5 words (64 bits) 90 million years 449,528 years 2.25 billion years 11 million years
6 words (77 bits) 7000 trillion years 3.5 billion years 17 trillion years 87 billion years
7 words (90 bits) 5,400 trillion years 27 trillion years 136,000 trillion years 680 trillion years
Lessons
From the table you should surmise that three-word-long passwords of this sort aren’t long enough to withstand a plausible attack. You should also be able to see that anything over five words long is overkill. Or, given a Master Password with more than about 55 bits of real entropy (not the false reports that you get from most websites pretend to calculate password strength), you should be fine against any plausible attack for a long time to come.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:master password
Comments
-
Hi @kcca,
Yes, it is still relevant. The numbers are slightly less with 3 more years of hardware advancements but not enough to drastically reduce from a trillion year to our lifetime, it'd be like .9 trillion year instead.
I'd stay with 5-6 words as long as you're not using smaller words. A cat is blah dog is not great compared to meowing eclectic prudence revoke barkbarkbark.
0
