How long does a PuTTY keyphrase need to be (i.e. how does PuTTY encrypt private keys)

putty ssh-keys password-policy

I'd like to know what a good minimum password length for a PuTTY passphrase is. This depends on the amount of entropy the passphrase needs to have, which in turn depends on the length one attempt takes, which in turn depends on the algorithm used to encrypt the private key.

Assuming a slow enough setup of PBKDF2, just 6 random alphanumeric characters would be almost 36 bits on entropy, and take a very long time to brute force. But if the encryption is trivial, it might be possible to try billions (or in parallel trillions) of attempts a second, and I'd want more like 64 bits of entropy at a minimum - at least 11 characters.

So which is it - does PuTTY use something nice and slow like PBKDF2/bcrypt/scrypt/whatever or do I need to worry about making sure passphases are long?


Solution 1:

This should provide all the information you need: correct horse battery staplefrom XKCD

Solution 2:

Just follow this advise or read this and follow the links... at least 8 characters, not only letters, not in any dictionary, no l337 speak, ... Make sure your machines limit the rate of tries from a given IP address. The processing power available to miscreants is staggering.

Related

how can I call ruby function basename in puppet
Running two subnets over the same physical LAN
Is an MX record needed?
How do I know if the Linux server killed my process and which process it killed?
Amazon AWS EC2 + Puppet, get Puppet to know AWS instance tags
Regular expressions in server_name with Nginx vhost
How to change boot device on vm installed on Citrix Xen Server to DVD
Java Deployment Rule Set via AD Enterprise CA
Centos multiple NICs routing issue
Using NTFS "traverse" permissions, but user still denied access to network share (SBS 2003)
Disable USB mass storage access on client machines
How to configure SELinux to allow specific services to communicate with Avahi?