defuse / php-encryption

Simple Encryption in PHP.
MIT License
3.79k stars 307 forks source link

Recommendations in choosing a password #497

Closed PhantomArt closed 1 year ago

PhantomArt commented 2 years ago

What are the recommendations in choosing a password for Crypto::encryptWithPassword(), which will eliminate the expediency of brute force when compromising an encrypted file? Suppose the password consists of a set of printed characters of ASCII. What will be the safe minimum length?

defuse commented 1 year ago

The password gets hashed with 100,000 iterations of PBKDF2 which slows down brute-force attacks somewhat, but for good security I'd recommend having at least around 80 bits of entropy in the password, e.g. at least 13 actually-random printable ASCII characters, more is better.