Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] ssh keys question



On Sat, Jun 18, 2016 at 12:32 AM, Kent Borg <kentborg at borg.org> wrote:

> If I have 2048 words, that is 2^11, if I randomly pick one and you want to
> guess it you will take about 1000-tries to have a 50% chance of guessing my
> word. The fact that my word appears in a dictionary doesn't change there
> there are 2048 words in that dictionary, it takes time to guess them all.
> If I put three such randomly chosen words in a row then the number of
> possibilities is cubed and the number of guesses to hit my choice is also
> cubed.


?Even better ...?

My dictionary search against  your synthetic memorable 32bit password will
only be only (2^11)^3? if i guess or know which 2048-word short-dictionary
you're using, or slowly infer it from observed leakage somehow.

If you use XKCD's up-goer word list, that's a well know list and yeah, i
can guess that.

Or if you used for your wordlist the same wordlist the famous cracking
software uses for their short password guessing wordlist. Uh no, bad
choice!

If you took a 30k - 100K wordlist and selected a 2k word subset randomly,
maybe excluding the 20-50% least common for ease of spelling, you'd have a
custom list of 2k words that i can't guess. I might be able to slowly
reconstruct that list if i can get your disgruntled ex-employees to tell me
what their passwords used to be, since it's harmless fun ... heh heh  ...
1000 telling me their 3 words has a good chance of giving me most of them
but i'll still be a few short in all likelyhood, but it's good enough.

But that still leaves me with executing the 2^32 dictionary attack.

 Which is likely only interesting if i've stolen all your users' hashes
already and you have poor salts and hashes so i can rainbow table to find
multiple users at once. Doing 2^32 trials coming in the front door of a
server is likely to get noticed as a DOS, aside from taking literally
forever.


-- 
Bill Ricker
bill.n1vux at gmail.com
https://www.linkedin.com/in/n1vux



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org