length of pw
in [Cryptography]
|
Prev: Call for papers: ISP-10, Orlando, USA, July 2010
Next: Question about polymorphic encryption used by some company
From: Gomar on 21 Feb 2010 23:53 "Short passwords are vulnerable because every permutation of the 95 possible characters can be tried. A five-character password has only 95^5 or about 7.7 billion possible combinations." 7.7billion is good enough for me. Only a high tech foe would even attempt to try a brute force attack. which would take too long given such odds even for the NSA, FBI, CIA, etc. I only see a problem in remembering the pw if it consists of non- words, something like K4cQ9. Even a two-character pw has 3844 combinations if using upper-case alpha, lower-case alpha, numbers 0-9. Using that, a 4 byte pw has 14,776,336 possible combinations.
From: David Eather on 22 Feb 2010 07:01 On 22/02/2010 2:53 PM, Gomar wrote: > "Short passwords are vulnerable because every permutation of the 95 > possible characters can be tried. A five-character password has only > 95^5 or about 7.7 billion possible combinations." > > 7.7billion is good enough for me. Only a high tech foe would even > attempt to try a brute force attack. which would take too long given > such odds even for the NSA, FBI, CIA, etc. > > I only see a problem in remembering the pw if it consists of non- > words, something like K4cQ9. Even a two-character pw has 3844 > combinations if using upper-case alpha, lower-case alpha, numbers > 0-9. Using that, a 4 byte pw has 14,776,336 possible combinations. The difficultly in cracking this sort of password is about 2**32 encryptions. IOW, it is insecure from anyone. There are many password cracking programs around. Some have a trial mode that will crack up to five letters. The time needed is between minutes and hours for anyone with a PC even if they don't want to take much time, money or effort.
From: bmearns on 22 Feb 2010 10:55 On Feb 21, 11:53 pm, Gomar <rompho...(a)gmail.com> wrote: [snip] > 7.7billion is good enough for me. Only a high tech foe would even > attempt to try a brute force attack. which would take too long given > such odds even for the NSA, FBI, CIA, etc. [snip] That's not at all true. This sort of brute force attack definitely doesn't require any higher tech than the average first-world citizen has available in their cell phone. In case you're not familiar with current technology, 1 or 2 gigahertz processors are the norm on general purpose computers: that's a billion or more operations per second. Even a relatively poor performing modern computer could enumerate all such passwords in a few hours, tops. Even if it took a thousand operations to produce a single password (it shouldn't take more than a few dozen, tops), you're talking about just over two hours to produce them all. And setting up a brute force attack doesn't require much sophistication at all (basically by definition); a high school student with a few weeks of programming classes could easily write a routine to do it. The one thing that could potentially save such a weak password is how it's validated. If you have a true gate keeper setup (in which you have to convince some agent/program that you know the correct password) and this gate keeper is set up to, for instance, take a full second to check each password, then yes, it would take too long. But if the such precautions were not built into the gate keeper, or if the gatekeeper can be bypassed (which is very often the case) then it is beyond plausible that any script kiddie could crack it with ease and in a realistically short period of time. Now on the other hand, a 10 character password from the same 95 character alphabet has over 59.8 quintillion possibilities. If an attacker could try a billion passwords per second, it would still take over 1800 years to go through all of them. -Brian
From: Kristian Gj�steen on 22 Feb 2010 13:18 Gomar <romphotog(a)gmail.com> wrote: >Great! However, how anyone could memorize a random 10 character >password is a mystery to me. Some of us have a brain. See also diceware. -- Kristian Gj�steen
From: bmearns on 22 Feb 2010 14:01
On Feb 22, 1:18 pm, Kristian Gjøsteen <kristiag+n...(a)math.ntnu.no> wrote: > Gomar <rompho...(a)gmail.com> wrote: > >Great! However, how anyone could memorize a random 10 character > >password is a mystery to me. > > Some of us have a brain. > > See also diceware. > > -- > Kristian Gjøsteen I'm pretty sure diceware was created either by someone who has little or no experience in cryptography, or someone who wants to make it easier to break into people's accounts and systems. It's a dictionary attack waiting to happen. He even provides the dictionary! |