Higher encryption, means less strong password required?

lc flag

Does higher encryption mean that my password could be shorter? If the time to decrypt is longer, then the chance to bruteforce gets lower too, right?

I've created a KeePass database, and at the creation you get to choose the decryption time (to 100 ms to 5 seconds). I was wondering if this implies a more secure way to use a short password, since the time to decrypt trying with each password would be higher.

Does bruteforce work like this, or other way?

samuel-lucas6 avatar
bs flag
'Higher encryption' is a bit misleading as you seem to be talking about password-based key derivation delay. As for the answer, technically yes it makes it 'safer' to use a shorter password, but it's not a good reason to. If you use a weak/common password, it will still be brute forceable. Why would you want to deliberately worsen your security, especially if it's one of the only passwords to remember? I suggest using a 6+ word Diceware passphrase instead. That's memorable and offers reasonable security.
in flag

Yes, up to a point. When your password is used for encryption/decryption, it first goes through a key derivation phase, to convert your password into a key suitable for encryption (e.g an AES key). The key derivation function is tuneable, it is designed to be deliberately slow to compute. And you can choose how slow. We should assume the attacker is more efficient than we are and uses better/more suitable hardware to break the KDF, so brute force time will be much less than your decryption time*number of possible passwords. Yet we still expect a strong linear relationship between the two.

However, a high entopy password is still desired, various improvements in cryptanalisis can speed up the KDF, so if I had to chose purely on security (disregarding time for honest decryption, or cost of saving the secret) between twice the password space or twice the rounds of a KDF, I would choose twice the password space any day of the week.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.