The premise reminds of discussions of computing in Ra. <a href="https://qntm.org/aum" rel="nofollow">https://qntm.org/aum</a><p>> "Don't talk about the future," Vidyasagar says.<p>> "What? Why not?"<p>> "Look at this computer," Vidyasagar says, gesturing at the mainframe. "Computers are getting more powerful, yes?"<p>> "Sure."<p>> "What is the most powerful computer that will be built? Ever. Not this year. Not this decade. What computer will be the most powerful? And how powerful will it be? And how big?"<p>> Hatt thinks on this for ten long seconds. He opens his mouth, but never actually forms a word. The scale of the question is beyond him.<p>> Vidyasagar says to him, "No matter what you say, you will look like a fool. Every statement about the future turns out to be foolish."
I could be wrong (my physics background isn't that strong either) but I think Dyson's "time without end" paper <a href="http://www.aleph.se/Trans/Global/Omega/dyson.txt" rel="nofollow">http://www.aleph.se/Trans/Global/Omega/dyson.txt</a> shows that eventually the universe will cool down enough to make all keys brute-force-attackable despite Bremermann's limit.<p>Given a finite amount of attacker computation you're willing to defend against, you can get a real advantage from key stretching (though not from mere salting). If you want a password strength of 256 bits, you can memorize a password of 226 bits and require work equivalent to 2³⁰ key-hashing operations to derive the actual encryption key or crypted password. This is normally called a KDF; reasonable ones are scrypt, bcrypt, and Argon2, in ascending order of goodness.<p>If you make the work factor unreasonably large, you won't be able to use the password in practice, because you have to do that work every time you use it. For example, if you try to memorize 170 bits of password and use a 2¹⁷⁰ work factor in your KDF to reach the 340-bit security level, recommended here, you have to do 2¹⁷⁰ work on your laptop every time you log in. Assuming a trillion operations per second (a safe upper bound for current laptops) each login will take about 47 nonillion years, about a sextillion times longer than the history of the universe so far and about 50 times longer than the expected lifetime of the last galaxies (see <a href="https://en.m.wikipedia.org/wiki/Timeline_of_the_far_future" rel="nofollow">https://en.m.wikipedia.org/wiki/Timeline_of_the_far_future</a>). It may be inconvenient to wait that long.<p>For the same reason that a KDF is a safe way to derive keys for decrypting data at rest, in a client-server system, you can generally do this work on the client safely, so it doesn't pose a denial-of-service risk.
> A password with 327 bits of entropy is nearly impossible to crack even if you burn the whole observable universe trying to do so.<p>This is exactly the question I was asking me when starting the article, and it is answered perfectly.
There's an older version of this argument in Schneier's Applied Cryptography (1996). He also concludes that a 256-bit key is secure "until computers are made from something other than matter and consume something other than energy", IIRC.<p>However, despite things like Ed25519 using 512-bit curve points for 256-bit security (you lose a factor 2 off your exponent because math), this particular instantiation fails much harder if a quantum computer running Shor's algorithm ever becomes reality.<p>Meanwhile, 123456 still tops the password charts wherever it is allowed.
This is probably a decent estimate, but there's a couple of routes of attack it fails to account for.<p>First it uses the <i>current</i> average temperature of the universe. Lowering the temperature can be done by just waiting a while before turning the machine on. I assume that powering a sufficiently powerful fridge is not an option, given the origin of the theoretical limit, but I can't quite point out <i>why</i> it wouldn't work.<p>Secondly it assumes that an unsuccessful attempt must flip at least some bits in an semi-permanent manner. This is obviously true of all current computers, but doesn't <i>have</i> to be true for all possible apparatuses. A specialized hyper-efficient password cracking system should be <i>expected</i> to get below this limit. Will we ever build one? Who knows.<p>Arguably this latter 'loop-hole' is just pointing out that quantum computers or more efficient algorithms could do better, so maybe we should absorb it into the definition of 'brute-force'.
> An excerpt from a religious text with a trailing space:<p>> "I'd just like to interject for a moment. What you’re referring to as Linux, is in fact, GNU/Linux,"
Is this proof that the universe cannot understand itself? It seems weird that there can be a set of information in the universe that can be hidden from the rest of the universe.
I can't say I understood and evaluated all the physics here (I skimmed parts) but I was pretty surprised by how small the estimate was. I would've assumed that, were we to have one or two thousand years more cryptographic history, we'd end up using ginormous keys (maybe on the order of 1 MiB?). But this suggests that 512 or 1024 bits might be all we need.
Speaking of physically immune schemes, I remember some protocol which relied on a gigantic amount of data present behind a link that was, on purpose, very low bandwidth (physically low bandwidth: not by software as in rate limitation. That was the whole point: the link was physically low bandwidth).<p>So the data was impossible to exfiltrate remotely: it simply wasn't physically possible to do remotely (it would be way too slow).<p>I forgot the name and what the data was used to protect/derive: maybe some authentication scheme?<p>Anyone knows what I could be talking about? I'm pretty sure I saw that posted here on HN in the past.
It doesn't account for quantum computing? Cracking passwords seems like one of those things that should get an exponential speedup with quantum computing.
I suspect this can be bypassed with knowledge about the size of the target system.<p>Intuitively, there are a finite number of passwords that can be stored on earth, so a large enough system should be able to enumerate them? Whilst also existing in the observable universe.