How long does a PuTTY keyphrase need to be (i.e. how does PuTTY encrypt private keys)
I'd like to know what a good minimum password length for a PuTTY passphrase is. This depends on the amount of entropy the passphrase needs to have, which in turn depends on the length one attempt takes, which in turn depends on the algorithm used to encrypt the private key.
Assuming a slow enough setup of PBKDF2, just 6 random alphanumeric characters would be almost 36 bits on entropy, and take a very long time to brute force. But if the encryption is trivial, it might be possible to try billions (or in parallel trillions) of attempts a second, and I'd want more like 64 bits of entropy at a minimum - at least 11 characters.
So which is it - does PuTTY use something nice and slow like PBKDF2/bcrypt/scrypt/whatever or do I need to worry about making sure passphases are long?
Solution 1:
This should provide all the information you need: from XKCD
Solution 2:
Just follow this advise or read this and follow the links... at least 8 characters, not only letters, not in any dictionary, no l337 speak, ... Make sure your machines limit the rate of tries from a given IP address. The processing power available to miscreants is staggering.