security - Create a strong password for AES -


background: using pbewithsha256and128bitaes-cbc-bc algorithm (bouncy castle) jasypt via grails plugin. configuration straightforward:

jasypt {     algorithm = "pbewithsha256and256bitaes-cbc-bc"     providername = "bc"     password = "<your secret passphrase>"     keyobtentioniterations = 1000 } 

i know how choose secure password above. there real or practical limits on length, restricted characters, etc? specific generator should using? couldn't find clear documentation on , examples use above (e.g., "password", "secret" etc.).

password-based encryption takes password, term implies. passwords run through key derivation function obtain actual key. kdf typically constructed hash function, password may of length , contain characters.

passwords have run through kdf because typical passwords don't contain anywhere near enough entropy considered secure against brute force attacks. kdf substitutes lack of "key space" depth computationally expensive key derivation – hence thousands of iterations. disadvantage fact initializing cipher expensive.

this tradeoff worth if passwords required instead of raw keys. however, in case better idea use raw key. unfortunately seems jasypt library using supports pbe.

to contain @ least 256 bits of entropy (as raw random 256-bit key), the password has contain @ least 43 random (case-sensitive) alphanumeric characters. if pick password long, can lower iteration count 1.

it seems pretty odd me have think through though using library supposed able use "without need of having deep knowledge on how cryptography works". why expose ugly details if users aren't supposed know are?


Comments

Popular posts from this blog

html5 - What is breaking my page when printing? -

c# - must be a non-abstract type with a public parameterless constructor in redis -

ajax - PHP/JSON Login script (Twitter style) not setting sessions -