Assuming a SHA 256 hash and a completely random password using the extended ASCII charset, is there a specific length after which additional characters offer no increase in entropy, and if so what is this?

Thanks.

SHA-256 has 256 bits, obviously. The minimum UTF-8 character length is one byte, i.e. 8 bits. Therefore, any password longer than 256/8=32 characters is ~~guaranteed~~ extremely likely to collide with a shorter one.

Is this what you meant?

A hash doesn't increase entropy, it just, so to speak, distills it. Since SHA256 produces 256 bits of output, if you supply it with a password that's completely unpredictable (i.e., each bit of input represents one bit of entropy) then anything beyond 256 bits of input is more or less wasted.

Other than from a truly random source, however, it's really hard to get input that has one bit of entropy for every bit of input. For typical English text, Shannon's testing showed about one bit of entropy per *character*.

I don't think there is an "effective" limit. Password of any length will be effective if it is effectively created (the usual rules, no words, mixed numbers, letters, cases and characters). It is best to force user to follow these rules rather then limit length. But minimum length should be imposed, sth like 8-10 characters, to save the users from themselves.

I have come to roughly the same conclusion as the others did, but with a different rationale.

Generally speaking, a preimage (brute force) attack on SHA-256 requires 2^256 evaluations, *regardless of password length*. In other words, a hash of a "password" that is thousands of characters long would still take an average of 2^256 tries to duplicate. 2^256 is about 1.2 x 10^77. However, a very short password, where the number of possibilities is less than 2^256, is even easier to break.

**The threshold is passed when the number of possibilities is greater than 2^256.**

If you are using ISO 8859-1, which has 191 characters, there are 191^n possible random passwords of length n, where n is the length of the password. 191^33 is about 1.9 x 10^75 and 191^34 is about 3.6 x 10^77, so the threshold would be at **33 characters**.

If you were using plain ASCII, with 128 characters, there would be 128^n possible random passwords of length n, where n is the length of the password. 128^36 is about 7.2 x 10^75 and 128^37 is about 9.3 x 10^77, so the threshold would be at **36 characters**.

Some of the other answers seem to imply that the threshold is always at 32 characters. However, if my logic is correct, **the threshold varies, depending on the number of characters you have in your character set**.

In fact, suppose that you used only characters a-z and 0-9, you would continue to add password strength up until your password was **49 characters** long! (36^49 is about 1.8 x 10^76)

Hopefully this answer gives you a mathematical basis for answering the question.

As a side note, if a birthday (collision) attack were possible on SHA-256, it would theoretically require only 2^128 evaluations (on average), which is about 3.4 x 10^38. In that case, the threshold for ISO 8859-1 would be at only **16 characters** (191^16 is about 3.1 x 10^36). Thankfully, such an attack has not yet been publicly demonstrated.

Please see the Wikipedia articles on SHA-2, preimage attacks, and birthday attacks.

Similar Questions

What is the maximum length of a variable name in JavaScript?

I have an error (Password length must be between 6 and 32 characters long) set up so when users try to register with a password less than 6 characters, they get that error and are unable to sign up,

FromBase64String Method maximum length

I want users signing up on my site to choose passwords that include: Minimum of 8 characters At least one uppercase At least one lowercase At least one digit. But these are the minimum requirements.

This question already has an answer here: Set the maximum character length of a UITextField 23 answers Is there any way to set the maximum length on a UITextField? Something like the MAXLENGTH

In local security policy (PC-Control panel-Administration-local security policy) there is a parameter Minimum length of the password and a parameter Password must meet complexity requirements (tru

I'm using jQuery to compare the values of two input fields. One is the maximum value and one is the minimum value. The objective of the validation is to check if the minimum value is greater than

How to find minimum and maximum length given a regular expression ? For example [1-9]?[0-9] This regular expression can generate a minimum 1 (0 or 1 0r 2.... or 9) and a maximum of string length 2 (

I need to validate user input of an international phone number. According to E.164, the maximum length is 15 digits, but I was unable to find any information about the minimum. I consider digits only,

I have a checkstyle rule that limits the maximum method length. It doesn't seem to work correctly on groovy files and I suspect it has to do with how closures are handled by checkstyle. In general, do

I'm working on a Hadoop streaming workflow for Amazon Elastic Map Reduce and it involves serializing some binary objects and streaming those into Hadoop. Does Hadoop have a maximum line length for str

I was trying to find the entropy of a certain probability distribution in MATLAB. For p, I tried doing E = -sum(p .* log2(p)) and Echeck = entropy(p) Shouldn't E and Echeck be same? The matlab help

Is there a maximum length for a username or password which is sent to a web application through HTTP BASIC authentication? I looked through RFC2617 and couldn't find anything obvious, but was curious

I have an array $a = array( 2010-05-03 =>100, 2010-05-04 =>400, 2008-05-01 =>800, 2011-01-01 =>800 ); How do I find maximum and minimum by key( date)? For example: max => 20

I will execute a big query so i want to know what is the maximum length of a mongodb query ?

I need to display the maximum rate and minimum proposal rate along with count of proposals for each request that is posted by a logged in user using Statistical/ Relational Query. I am getting the cou

I have a function and I would like to find its maximum and minimum values. My function is this: def function(x, y): exp = (math.pow(x, 2) + math.pow(y, 2)) * -1 return math.exp(exp) * math.cos(x * y)

If I have a UIDatePicker, and I wish to set the minimum and maximum date range to be between thirty years ago and thirty years in the future, how would I set that up?

I have a graph that has dates on the x-axis and I'm trying to set maximum and minimum values for this axis using an Excel VBA. Below is my code which doesnt seem to work.Can anyone please help. With A

Based on the following code, I need to find the minimum and maximum final values of x x=1 i=1 cobegin while (i<4) while (i<4) begin begin x=x*2 x=x*2 i=i+1 i=i+1 end end coend I figured that th

I want to break a string up into lines of a specified maximum length, without splitting any words, if possible (if there is a word that exceeds the maximum line length, then it will have to be split).

I want to store number that can be of length more than 20 digit but not has maximum length defined. I search for the datatype that hold maximum value entered and found varchar(max), I want to have som

I'm using MySQL, and I'm looking for a way to get the global maximum and minimum values (for the whole table) from two columns (for example, posx and posy), using only one query.

I need to get the length of a .wav file. Using: sox output.wav -n stat Gives: Samples read: 449718 Length (seconds): 28.107375 Scaled by: 2147483647.0 Maximum amplitude: 0.999969 Minimum amplitude: -

I need to get maximum and minimum values but also I need to get row id of these maximum or minimum on the same row. SELECT MIN([Value]), MAX([Value]), id FROM [AnalystEstimates].[dbo].[AnalystEstimate

I've tried to implement an algorithm that would search for both minimum and maximum elements in a given array, and used the ideas from Cormen's Introduction to Algorithms. My code compiles and starts

Does anyone know what the Maximum URL length is in Silverlight (version 4 if it matters)? I know it is 2048 and basically infinite for Firefox (the two environments I have tested in), but Image reques

Has anyone managed to set maximum field lenghts for text fields How can i set the maximum length of a text field. Here is the code iam using <%= text_field_tag(:create_text), :input_html => {:ma

What is the easiest way to determine the maximum match length of a regular expression? Specifically, I am using Python's re module. E.g. for foo((bar){2,3}|potato) it would be 12. Obviously, regexes u

Considering an ideal source with an alphabet with N=2^n+1 symbols, compute minimum an maximum entropy. The first symbol has the probability of 1/2. Maximum entropy is reached when all symbols have the

In a table that contains the Employee ID of every employee, the login time and the logout time for each employee, I need to extract the minimum from login time and maximum from logout time for each da

i have the following code to compute minimum and maximum values of a list in order to save memory efficiency x_min = float('+inf') x_max = float('-inf') for p in points_in_list: x_min = min(x_min, p)

As per title, what is the maximum length a URL can be, when using a custom URL scheme with an app? e.g. If I'm launching another app via URL, and passing a blob of data using something like &nbs

I validate a surname field like this validates :surname, :presence => true, :length => { :within => min_surname_length..max_surname_length, :message => is bad (minimum is #{min_surname_l

Under Win7, open Control Panel -> Power Options -> Advanced Settings->Processor power management. you can see Minimum Processor state, Maximum Processor state. I want to get the value of Proc

I'm working on a random password generator to create passwords that meet certain conditions including, but not necessarily limited to: minimum length: has to contain at least 8 characters lower case

I created file that has students scores. I got the average of each of them, but now how do I find the maximum and minimum of each test. I tried but it just prints random numbers, and ideas?Also if i w

The problem all started when Mircosoft updated the security of systems by requiring a minimum key length of 1024. Please refer to Microsoft Security Advisory (2661254). In the past, we were using the

I have 2 textbox one is of Minimum Price and other is of Maximum Price.I want the validation when one enter the Minimumm price greater than Maximum Price that you have enter the Minimum Price greater

I have a probability distribution that defines the probability of occurrence of n possible states. I would like to calculate the value of Shannon's entropy in bytes that corresponds to the given proba

To store user passwords I am going to SHA 256 + salting. Just wanted to confirm if these are correct. Business requirement is password should be minimum 8 inputs and maximum 32 inputs. (any input is v

I would like to calculate the maximum value of the minimum values of each row in a spreadsheet (google docs, specifically) that is greater than 0. I hope that makes sense. My data is: 0 6 7 8 1 0 12 2

I want to store the data returned by $_SERVER[REMOTE_ADDR] in PHP into a DB field, pretty simple task, really. The problem is that I can't find any proper information about the maximum length of the

Under Win7, open Control Panel -> Power Options -> Advanced Settings->Processor power management. you can see Minimum Processor state, Maximum Processor state. I have get the value by powercf

I am try to make Procedure for fetching maximum price of lowest nearest date from given table. In procedure i have to pass only MaterialNo and Date, base on that i want max price of lowest nearest mon

I'm trying to find the maximum and minimum numbers out of 2 integers that a user has inputted. Firstly i have converted the string to int, then went to put them into an array so i can manipulate them.

Am new to android In a app am using editText its maximun text length is 2 Here my question After entering two characters in editText (i.e) when editText reaching the maximum text length it shuold au

I have a flow network with some edges and nodes. On the edges that leaves that source node, I would like to place some minimum flow, so that there's at least x flow on that edge (and if that's not pos

I want to send a mail but it gives me a the following error Paragraph is too large i want to know that what is the maximum length of a mail while sending in asp vbscript

I have the following Regex expression for java application: [\+0-9]+([\s0-9]+)? How to restrict the above expression of telephone number to a minimum of 4 digits and maximum of 7 digits? I thought it