Page 1 of 1

Password Guidelines?

Posted: Sun Mar 03, 2019 9:42 pm
by ThatOneGuy
I've been looking through documentation and such and I can't find anywhere if there is a limit on the password? 32 characters? 64? With my password generator program I could easily throw a 250 character password at AES Crypt. Would this conceivably increase encryption time? Is there a point where a longer password simply has diminishing returns? Looking for guidelines here, I have a crapton of data to encrypt and want it secure before I put it on a cloud service.

Re: Password Guidelines?

Posted: Tue Mar 05, 2019 6:37 am
by paulej
The maximum password length is 1024 characters, and that was just an arbitrary limit I picked. The password length won't make encryption take more or less time. It might take the key derivation routine a little longer, but it would be so fast you wouldn't see a difference.

Passwords are munged into a 256-bit value that is used as the encryption key. That's the strongest key supported by AES. To maximize password strength, you'd only need 43 random characters from the set of upper case, lower case, and numbers (62 distinct characters). See: https://www.wolframalpha.com/input/?i=log2(62)*43. You can see the bit strength is just over 256.

When encrypting data for cloud storage, I tend to use longer passwords, though. The reason is that the software I use to generate random passwords might not be as ideal as it should be. So rather than lose key strength due to lower entropy in my password generator, I just create longer passwords. I go overboard, though, sometimes using randomly generated passwords that are 384 characters long. That's definitely beyond diminishing returns, but it doesn't hurt, either.

I hope that helps.

Re: Password Guidelines?

Posted: Fri Mar 08, 2019 3:21 am
by ThatOneGuy
Thanks!