Forums Community Encryption Question Reply To: Encryption Question

#4024 Reply


Hello Robert,

Your question makes eminent sense, and I’d refrain from using encryption products that limit password length to 16 characters for AES-128 etc. It shows a fundamental lack of understanding of the technology, and I’d suspect that such a product does not properly implement other encryption functions.

I can’t write a really long response, but properly implemented software a password based key derivation function of some kind. AxCrypt uses a standard function called PBKDF2 with SHA512.

The fact of the matter is that in practice a typed password does not use 8 bits/character (even if the characters is stored using 8 bits, there’s a bit of effective waste there since not all 256 positions typically represent printable/typable characters). ASCII which you refer to for example is a 7-bit code, stored in 8 bits most commonly, and even so not all 128 positions are used by printable characters.

A 44 character password, provided that is not a sentence or set of words but rather really is a long password with a good mix of characters is very good, and is likely to give you more than 128 bits of effective strength, but perhaps not as much as 256 (it depends on how the password is constructed).

To determine the effective strength of the password:

  1. Assume the attacker knows the *principle* but not the detail of your password. I.e., assume the attacker is yourself, who knows everything about how you choose passwords – *except* the actual password.
  2. Estimate the number of possible passwords by taking the number of possibilities for each position or group times each other. Call this hopefully very big number N.
  3.  Calculate log N / log 2. This will give you the number of effective bits.

Example: I chose a password that is 8 characters long, with completely random characters upper and lower case a-z. Each position can have 26 + 26 possibilities = 52 per position. So, N = 26 * 26 * … * 26 (8 times), i.e. 26^8.

N = 53459728531456.

log(53459728531456) / log(2) = approximately 45.6, i.e. approximately 47 bits.

This is a very weak password…