We’re talking password lengths, here, so let’s dive in:
Why 50 characters? Because 50 is the lowest all-caps alphanumeric character count that exceeds the keyspace for 256-bit encryption. Remember, the term “characters” includes both numbers and letters (uppercase and lowercase), as well as extended characters and even characters which can be computed and used as passwords but which are not found on your keyboard. We’ll get into that in a minute, but for now, let’s stick with the usual characters.
It’s easy to compute your Minimum Character Length, where “characters” is the total number of characters available for use in a password:
MCL = 256 * ln ( 2 ) / ln ( characters )
Let’s consider the example of a numerical PIN, where you have 10 characters available: 0, 1, 2, 3 … 9. Your MCL for 256-bit encryption is calculated as follows:
MCL = 256 * ln ( 2 ) / ln ( 10 ) = 77.063…
Since 77 would cut into the required keyspace, we round up to 78. Thus, in order to achieve full AES-256 security using a 10-digit numeric PIN, you would need PIN that’s 78 characters long.
So, how long would it take a massive cracking array to crack a 16-character PIN? About 1.85 minutes. Even a normal hacker’s system would cut through that in about 1.29 days.
If you increase the length of the PIN to 78 numeric characters, however, you’ve increased the brute force cracking time, even with a massive cracking array capable of one hundred trillion guesses per second, to 3.53 million trillion trillion trillion trillion centuries. That’s 3.53×10^56 years. Written out, that looks like this:
That’s considered cryptographically secure.
Here are the Minimum Character Lengths for passwords required to achieve for full AES-256 encryption:
- 78 – Numerical PIN: Numbers, i.e. 0, 1, 2, 3 … 8, 9
- 50 – Alphanumeric All-Caps: Uppercase letters and numbers i.e. A, B, C … Y, Z and 0, 1, 2, 3 … 8, 9
- 40 – Full Keyboard: Numbers, letters (both uppercase and lowercase), and all extended characters