5

I'd like to know what a good minimum password length for a PuTTY passphrase is. This depends on the amount of entropy the passphrase needs to have, which in turn depends on the length one attempt takes, which in turn depends on the algorithm used to encrypt the private key.

Assuming a slow enough setup of PBKDF2, just 6 random alphanumeric characters would be almost 36 bits on entropy, and take a very long time to brute force. But if the encryption is trivial, it might be possible to try billions (or in parallel trillions) of attempts a second, and I'd want more like 64 bits of entropy at a minimum - at least 11 characters.

So which is it - does PuTTY use something nice and slow like PBKDF2/bcrypt/scrypt/whatever or do I need to worry about making sure passphases are long?

JonathanDavidArndt
  • 1,414
  • 3
  • 20
  • 29
Eamon Nerbonne
  • 316
  • 2
  • 5
  • 1
    Incidentally, I hope this is the right place to post - or would superuser be better? – Eamon Nerbonne Feb 20 '13 at 17:18
  • 5
    This may be more appropriate for [security.SE](http://security.stackexchange.com/), but check the FAQ and previous questions before asking there. – mgorven Feb 20 '13 at 17:41
  • 2
    Would appreciate if someone answered the actual question. Does PuTTY use key stretching for encrypting private keys or not? – Attila Szeremi Mar 20 '14 at 09:49

2 Answers2

11

This should provide all the information you need: correct horse battery staple from XKCD

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
  • 2
    +1 -- There is a reason it's called a "SSH key **passphrase**" -- an obscure line from a favorite book is what I often advise people to use. I have a friend who uses long palindromes. – voretaq7 Feb 20 '13 at 18:23
  • 2
    That comic is retarded. Use KeyPass and it's irrelevant because then you have long passwords AND special characters, capitals, etc. Without having to remember every single one of your passwords my heart. – gparent Feb 20 '13 at 18:30
  • 2
    The 3 upvotes speak for themselves. – Tom O'Connor Feb 20 '13 at 19:18
1

Just follow this advise or read this and follow the links... at least 8 characters, not only letters, not in any dictionary, no l337 speak, ... Make sure your machines limit the rate of tries from a given IP address. The processing power available to miscreants is staggering.

vonbrand
  • 1,153
  • 2
  • 8
  • 16
  • Most of your advice is sound (if a bit dated -- see the XKCD cartoon in [Tom's answer](http://serverfault.com/a/480782/32986)), but `no l337 speak` is not: You just reduced your potential entropy pool substantially. If someone wants to use `1` instead of `l` or `0` instead of `o` you should let them. General rule for passwords: Never eliminate options. – voretaq7 Feb 20 '13 at 18:21
  • @voretaq7 Yes, but many of those "transliterations" are in the dictionaries used by e.g. Jack the Ripper. – vonbrand Feb 20 '13 at 18:34
  • 1
    That doesn't change the fact that they add entropy (i.e. Jack needs to search a *larger* key space). Any "You can't do that" restriction on a password narrows the search space, and most software is good about telling you these scope-narrowing requirements so you can trim your dictionary... – voretaq7 Feb 20 '13 at 18:44
  • Unpredictable entropy is more entropic ;-) ["Brute force" attacks try predictable passwords/phrases, and o --> 0, e --> 3, t --> 7 is predictable, perhaps o --> z3r0 is better...] – vonbrand Feb 20 '13 at 19:05
  • 4
    You're either completely missing or deliberately ignoring what I'm saying - The point isn't "can you do it better" (because the answer is "Correct horse battery staple!"), the point is "Don't restrict your users password choices, because you'll make their passwords ***less secure***. – voretaq7 Feb 20 '13 at 19:17
  • @voretaq7, what I'm saying is try to nudge them into _more unpredictable_ password selecting strategies. You are right that o --> 0 adds more entropy, but it does so in a relatively predictable (i.e., not very much entropy-adding) way. – vonbrand Feb 20 '13 at 19:36