BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] deadmanish login?
- Subject: [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- Date: Sun, 5 Feb 2017 11:47:52 -0500
- In-reply-to: <a3f962c7-cd61-c1ef-ff3e-b995f199c11c@gmail.com>
- References: <BD3AEAF8-C3A9-425E-A1DF-313491C25856@horne.net> <22678.5505.133056.545247@blazemonger.com> <gmSeg95lRrqD1BiAnonSofQI4-s-SX_4SDY7asObPKfjUSP7-qdxjTD9LgybioJRHcZkBKuOnpV5pYVDSYeFY3KSMRCNbv4x8ZmNfRaUV-Q=@protonmail.com> <9fbe3bd3-4b45-9ca9-095d-21d8e2d26ecc@borg.org> <a3f962c7-cd61-c1ef-ff3e-b995f199c11c@gmail.com>
On 02/05/2017 10:19 AM, Richard Pieri wrote: > It's not expensive and it's not subtle when you can build an entry > level password guessing rig for about $5K: An afternoon lark! Cheap and easy, just computerize it! Jesus. Okay, how long a password are you going to try to crack with that rig? If I have a 13-character password, am I in the clear?? Do some arithmetic. Say you have this fancy brute force rig, what do you run through it? How about all 12-character passwords that use 7-bit ASCII. That's 17,605,349,516,220,764,271,966,721 possibilities. And if you try all the 11-character passwords, and all the 10-character passwords, etc., it is even higher. But the 12-character passwords are the biggest component of this example. How fast can your nifty rig make trials? 1,000,000,000,000,000 a second? I doubt it, but let's pretend it can. It will still take 558-years to try all the 12-character passwords. 11-character passwords are extra. And 13-character passwords are off the hook. Stupid. Using stupid brute force is stupid! But if you are strategic about about your search space, you might search a few million commonly used passwords first, you might throw dictionaries at it, you might throw Project Gutenberg at it--ah, but how? Do you search passwords in my "a5-sensor-respect-price" format? If you search them knowing the format the space is tiny compared to the enormous space to search in the "it's not subtle" magic you are imagining. Only 40-bits of entropy went into the generation of that password, are you really going to count on finding it by thinking you can search a 120-bit space (37**33), or bigger? Putting your $5,000 toy to work is going to require some serious thinking, because when you look at the space you might try to search, your $5,000 rig, impressive as it it, starts to look under-powered. And buying 10 of them only scales linearly. If you think there is no subtly in ordering your search space, you are going to only crack the worst passwords. Do some arithmetic. -kb
- Follow-Ups:
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: sillystring at protonmail.com (Eric Chadbourne)
- [Discuss] deadmanish login?
- References:
- [Discuss] deadmanish login?
- From: bill at horne.net (Bill Horne)
- [Discuss] deadmanish login?
- From: dbarrett at blazemonger.com (Daniel Barrett)
- [Discuss] deadmanish login?
- From: sillystring at protonmail.com (Eric Chadbourne)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- Prev by Date: [Discuss] deadmanish login?
- Next by Date: [Discuss] deadmanish login?
- Previous by thread: [Discuss] deadmanish login?
- Next by thread: [Discuss] deadmanish login?
- Index(es):
