04-18-2013, 04:28 AM
First, let me say that this has been a great discussion, and I'd like to thank Atom for the choice to branch out into some of the more interesting formats that aren't pure hashes!
Second, regarding passphrase passwords, people need to be warned to be careful of the words they choose - first and foremost, people should check to make sure at least one of their words isn't on lists like the http://www.englishclub.com/vocabulary/co...s-5000.htm list of the top 5000 english words, and that's a bare minimum. For instance, "everything experience development federal" is four words, but they're all in the top 500 most common words, which, against an attacker using a Combinator attack (hashcat-utils!) is a keyspace of about 6E10... not very much, with over 2E6 seconds per month.
Third, on the Agile keychain format, I happen to use KeePass for the specific reason that I can change the number of iterations. Even on a smartphone, I choose millions of iterations; on a PC, tens of millions (and if it used AES-NI, I'd be using billions), specifically because I expected the cracking utilities to start using GPU, and you can always try to crack a file stolen before the technology improved. I'm also willing to wait a few seconds for a key to be decrypted, and I like the passphrase + file approach for a combination key, as well (though Truecrypt's multiple files is even better).
Second, regarding passphrase passwords, people need to be warned to be careful of the words they choose - first and foremost, people should check to make sure at least one of their words isn't on lists like the http://www.englishclub.com/vocabulary/co...s-5000.htm list of the top 5000 english words, and that's a bare minimum. For instance, "everything experience development federal" is four words, but they're all in the top 500 most common words, which, against an attacker using a Combinator attack (hashcat-utils!) is a keyspace of about 6E10... not very much, with over 2E6 seconds per month.
Third, on the Agile keychain format, I happen to use KeePass for the specific reason that I can change the number of iterations. Even on a smartphone, I choose millions of iterations; on a PC, tens of millions (and if it used AES-NI, I'd be using billions), specifically because I expected the cracking utilities to start using GPU, and you can always try to crack a file stolen before the technology improved. I'm also willing to wait a few seconds for a key to be decrypted, and I like the passphrase + file approach for a combination key, as well (though Truecrypt's multiple files is even better).