Re: LUKS password gets printed as stars

To: debian-user@lists.debian.org
Subject: Re: LUKS password gets printed as stars
From: Hans <hans.ullrich@loop.de>
Date: Sat, 23 Dec 2017 14:34:45 +0100
Message-id: <[🔎] 3244564.u06Ryz1Ejd@protheus7>
In-reply-to: <[🔎] CAKkunMbC1dbVFpFJj08fstuu0xuNfDBP0q5MK8hv1xaB-4KWkw@mail.gmail.com>
References: <[🔎] CAJ9BSW8LVsGBLpOLJh7JkQG_gykiN1i2edh1eUBmtCT-W3e3gA@mail.gmail.com> <[🔎] 590c2552-6479-4b80-98ad-dc39ee631e46@walnut.gen.nz> <[🔎] CAKkunMbC1dbVFpFJj08fstuu0xuNfDBP0q5MK8hv1xaB-4KWkw@mail.gmail.com>

Am Samstag, 23. Dezember 2017, 13:57:59 CET schrieb Anders Andersson:
Hi Anders, 

this is an interesting point, you showed. I suppose, 10 digits will be mostly 
be used by poeple, maybe less.

But 1 percent longer for each added digit sounds not much. However, when it 
comes to more digits, let's say 16 (WPA2 often uses 16 digits with only 
letters and numbers), then the time to crack will increase rapidely.

If I understood you correct, and please correct me if I am wrong, this is 1 
percent of the time for trying all combinations with one lesser digit.

And I suppose, guessing 15 digits will cause a loooooong time, and 1 percent 
of this looooong time plus another much more looooooong time will result in a 
very looooooooooong time. So, the more unnecessary digits, the better.

Anders, is there an error in my thoughts?

For all people, reading this: However, going back to the original theme: IMO 
showing stars for the password is worse (although typing could be heard and 
finger moves can be counted) than not to be shown. I remember in kdm or other 
login managers, it could be chosen, if there are 1 star/letter,  3 stars/
letter or none. 

Maybe this option should be added, so any operator can decide (after encodinng 
the drives), which option he prefers: 1, 3 or none.

Have a happy christmas

Best 

Hans

> No. I've been facepalming myself through this thread but I can't
> really keep my mouth shut anymore.
> 
> All this is very misguided. Knowing the length of your password means
> that it takes about 1-2% less time to brute-force it, no matter how
> many characters you use.
> 
> This is because every extra character multiplies the difficulty by
> about 50-100 depending on what type of characters you pick from.
> 
> Let's say you use a 10 letter password, from a pool of 100 characters
> for each letter and someone is brute-forcing it. If they *know* that
> you have 10 letters in your password, they will have to try on average
> 100^10/2 = 50000000000000000000 times before they find the right
> password.
> 
> Now, what happens if they *don't* know? They will have to start
> testing all possible 1-letter passwords, then 2-letter, 3-letter etc:
> (100^1 + 100^2 + 100^3...)/2 = 50505050505050505050. Wow, to
> brute-force without known the number requires 1.01% more calculations.

Reply to:

Follow-Ups:
- Re: LUKS password gets printed as stars
  - From: Curt <curty@free.fr>

References:
- Re: LUKS password gets printed as stars
  - From: root kea <rootkea@gmail.com>
- Re: LUKS password gets printed as stars
  - From: Richard Hector <richard@walnut.gen.nz>
- Re: LUKS password gets printed as stars
  - From: Anders Andersson <pipatron@gmail.com>

Prev by Date: Re: LUKS password gets printed as stars
Next by Date: Re: Youtube - newbie guidance
Previous by thread: Re: LUKS password gets printed as stars
Next by thread: Re: LUKS password gets printed as stars
Index(es):
- Date
- Thread