Re: LUKS password gets printed as stars
On Fri, Dec 22, 2017 at 10:25 PM, Richard Hector <richard@walnut.gen.nz> wrote:
> On 21/12/17 22:16, Curt wrote:
>> On 2017-12-20, Richard Hector <richard@walnut.gen.nz> wrote:
>>>
>>> On 21/12/17 02:02, Curt wrote:
>>>> Also, I'm uncertain whether suppression of the asterisk-echo qualifies
>>>> as "security by obscurity"
>>>
>>> I think most people accept that obscurity is quite reasonable for
>>> passwords ...
>>>
>>> Richard
>>>
>>
>> Wonderful, Dick, however, I was referring to the specific expression
>> "security by (or through) obscurity," which denotes something else.
>>
>> https://en.wikipedia.org/wiki/Security_through_obscurity
>
> I'm aware of that concept. But making it harder to see the length of the
> password makes it harder to guess the password, no? Which has got to be
> good?
No. I've been facepalming myself through this thread but I can't
really keep my mouth shut anymore.
All this is very misguided. Knowing the length of your password means
that it takes about 1-2% less time to brute-force it, no matter how
many characters you use.
This is because every extra character multiplies the difficulty by
about 50-100 depending on what type of characters you pick from.
Let's say you use a 10 letter password, from a pool of 100 characters
for each letter and someone is brute-forcing it. If they *know* that
you have 10 letters in your password, they will have to try on average
100^10/2 = 50000000000000000000 times before they find the right
password.
Now, what happens if they *don't* know? They will have to start
testing all possible 1-letter passwords, then 2-letter, 3-letter etc:
(100^1 + 100^2 + 100^3...)/2 = 50505050505050505050. Wow, to
brute-force without known the number requires 1.01% more calculations.
Reply to: