@mrf I see your problem, but all your calculations and assumptions are way off. Assuming the secret has full entropy in any case (http://labs.bittorre...ogy.html#secret mentions using dev/random or cryptoapi for that) we have, for the various mentioned secret lengths: 32 characters of base-32 text, meaning 5 bits per character: 160 bit of entropy 40 characters of base-64 text, meaning 6 bits per character: 240 bit of entropy (@verloren: Thinking of security in terms of "number of possible combinations" usually leads to ununderstandable numbers and in security discussions should be reserved to snake-oil vendors who want to dazzle you with incomprehensibly large numbers with no real meaning. Just express everything in log2, that is: bits, and everything becomes so much easier. Especially since multiplication becomes simple addition.) @mrf: The security of AES-128 is about 128 bits. It is generally agreed upon that any number exceeding the ~80-90 bit mark falls into the "impossible" category. There are various nice calculations about the effort needed to break a 128 bit key with results like "storage: 1 result per atom -> more atoms than there are in the universe", "more time than is left before our solar system is swallowed by our sun" and "the energy required would boil up all the oceans on planet earth". I think full-entropy(!) keys of this magnitude can safely be said to not be worth worrying about. Compare your folder name suggestion: English language has an entropy of about 1-2 bits per character, folder names will probably be about 10 characters average (note: this is the only number I've pulled out of my ass), leaving you with about 15 bits of additional entropy. Compared to the 160 bit we talked about before that's next to nothing. But adds considerable inconvenience (see Automatic Coding's post). @mrf The other point you were talking about (undirected attacks) is called a birthday attack. Instead of breaking a a particular key, in this instance an attacker just wants to find *any* two identical secrets. For an attack on a specific secret of length 160 bits, an attacker can expect to succeed on average after 2159 tries. For a birthday attack success will, on average, reach a high probability after approximately 280 attempts (half bit size). Now: 80 bits is still insanely large. Additionally think about what it means: The collision the attacker would find would with overwhelming probability be one with his own attacks. More realistically attacking *any* other secret should be treated as subtracting from the secret length. Say every person on earth (7 billion) had a thousand synced folders, leading to 7*1012 distinct secrets on the network. In log2 that's about 43. The complexity to attack *any* folder now is 160-43 = 117 bit. Have fun boiling the oceans while waiting for the sun to go red giant! :-) @kos13/bittorrent sync team: I still have problems understanding the security properties. One of the issues is the exact secret length. The number above (32 characters base-32) I came up with by counting in the screenshots. Your website sometimes mentions 21 bytes, which is different from 160 bits. Also you offer up the encryption algorithm to be AES-256, which whould require a 256 bit key. Then there's the base-64 thing with still a different number. A concise table with exact security parameters (paying attention to the distinction between bytes, bits and characters) would be nice. Also, coming from sort of a security background, I don't fully understand how read-only/time-limited keys are supposed to work. It would be really great if you had a protocol description somewhere. How does a secret become a key? How is the actual transmission protected? -- Henryk Plötz Grüße aus Berlin