Bit Equivalent Strength of a password

When dealing with all those cases where you supply and password or passphrase that in turn generates an encryption key, then the passphase is the weakest link (and by weakest, I mean about 604 billion trillion times weaker! More on that later)

Encryption methods are ranked mainly by how many bits there are, for every bit you add, it doubles its strength, and doubles the number of possibilities there are.

Passwords however are ranked by their length and how complex they are.

Since in many cases passwords are used to generate encryption strings, having a weak or short password would be the weakest link in the chain.

For example again, there is no point using 256bit encryption when your password is "123"

So you can work out the "Bit Equivalent Strength" of a password simply by its number of combinations, then see where that number fits in a lookup table of 2^x

So the point is, for many cases where you are encrypting something, like encrypting your hard disk, or files, then ignore for now how many bits the encrypting string is, and think more about your password.

If you want "128bit password", then you need 21 characters (with a average keyset of 72 characters)

Would you encrypt your company secrets with a 49bits? The most complex 8 character password is only 49bits. That’s 604 billion trillion times weaker that 128bits

Now you think that those are really large numbers that no one can ever crack, now read it all again thinking that a off the shelf gaming machine can brute force about 150 million passwords a second using mainly its GPU. That’s the first 27 bits in 1 second! And doubling for every other bit added (that’s the simple version anyway) With some better math’s, that’s a 49bit password (8 complex characters) crack in 49 days. Of course different methods take different times to decrypt.

Interesting...