I decided to get serious and stop using the same flimsy password everywhere. So today I installed KeePass
and used it to generate a different password for each of my log-ins. The KeePass database is stored in a public Dropbox
folder where it can be accessed by the MyKeePass
app I put on my iPhone.
The KeePass database is encrypted in 256-bit AES/Rijndael. Each of the passwords it generated has at least 128 bits of entropy. However, my master password has only 75 bits. [Since I'll frequently have to enter it on the tiny iPhone keyboard, I wanted it to consist only of letters.] It's a pair of nonsense words I made up in high school - so it ought to be resistant to dictionary attacks. But I'd be happier if it was at least 128-bit strong as well.
Or would that be overkill? I've considered using Diceware
to make a stronger all-letters master password. But it would require a 10-word phrase to pass the 128-bit threshhold. And the FAQ says "... if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day." [But the FAQ copyright notice begins in 1996. So he could be talking about the Pentium 166 era of cracking power.]
Assuming the worst case scenario that a malefactor has already found the KeePass database in the public Dropbox folder and is already at work on it, how long might I hope for the current 75-bit master password to hold out?