4 thoughts on “Passwords vs. Private Keys

  1. Interesting, never thought that passwords are so strong compared to certificates.
    I’m wondering, why they used only 512-2048 bit certs. To my knowledge, 2048 is the bare minimum today. 3072 is recommended by NIST (AFAIK) and personally, I see no problem with 4096 if the solution supports it.

  2. A couple of thoughts.

    First, passwords don’t “contain entropy”. Instead, the process that generates the password “extracts entropy” to build the password string. It’s easy to say “this password has 80-bits of security” or “this AES key has 128-bits of security”, but in reality, the password and the AES key are just random numbers.

    So, in the case of the password, it is just one of 2^80 possible outcomes, and in the case of the AES key, it’s just one of 2^128 possible outcomes, which leads me to my second point.

    Password hash crackers don’t generally think in terms of “entropy” but in “keyspace”. This is something I’m still struggling to settle with internally, as when I think of passwords, I think of password generators, rather than password strings. But password hash cracking utilizes approaches that take advantage of patterns people use on the strings themselves.

    It makes sense. 94% of the human population are creating weak passswords. They’re not random numbers (strings), but predictable sequences of patterns. This greatly limits the searchable keyspace, and password hash cracking is all about getting as efficient as possible in finding those patterns.

    However, the article was a good read.

    1. You should notice that the article mentions PSK for site-to-site VPNs. This should be in the 6% where you can easily generate a proper password e.g. by using a password generator. With VPNs, you have mainly PSKs (quick, easy, deemed not super secure) and digital certificates (slow, complex, deemed state-of-the-art secure).
      My question would be, if PSK and cert is similar handled by IPsec, or if there is a difference which could favor certs?

      1. Hey Peter,

        looking at the security aspect only, there is no difference. If used properly, PSKs offer the same security for the authentication process as certificates.

        But of course there are some differences in the handling of many VPNs. While you won’t use certificates for just a few VPNs, you can have automated processes with certs when you’re adding new sites, for example. This makes it easier to manage hundred/thousands remote sites.

Leave a Reply to Johannes Weber Cancel reply

Your email address will not be published. Required fields are marked *