BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] On "Simple" Brute Forcing Passwords Not Being Simple
- Subject: [Discuss] On "Simple" Brute Forcing Passwords Not Being Simple
- From: kentborg at borg.org (Kent Borg)
- Date: Sat, 25 Feb 2017 20:50:04 -0500
- In-reply-to: <9D740B9D-4797-406B-8578-2B30D8343497@borg.org>
- References: <9D740B9D-4797-406B-8578-2B30D8343497@borg.org>
On 02/25/2017 02:05 PM, Kent Borg wrote: > Once you try to do the math you'll notice the very description "20-characters" suddenly becomes pretty vague. Reasonable people won't agree on how many digits are in the answer, let alone a precise value. But one thing should be clear: It is a really big number. I can't resist: If one assumes a 20-character passphrase is limited to a character set of just 64-characters, that's: 64^20 combinations, which just so happens to be exactly: 2^120 combinations, or: 1,329,227,995,784,915,872,903,807,060,280,344,576 combinations. What if you check possibilities as fast as, say 9,192,631,770 per second*? Arbitrary, fast, but plausible: we have computers with single-cycle times of that order of magnitude. Very aggressive, but plausible. * The rate of the cesium transition that defines a second. Assume you have a billion of these working in parallel. How long would it take to try all those possibilities? 4,585,144,309 years. Roughly the age of the earth, to date. (That was the numerological alignment that sent me to my keyboard. Forgive me.) That's just 2^120. If you let me use the characters in this e-mail ("^" or '-' or "~" or even " and ' and ? and . and , and - and ! and God-forbid ?--?Ol?!) you might need to try a bigger character set. Maybe you search 20-characters of a 93-character set. That's ~2^131. A horrible, horrible, crazy, big number. And you still won't find "May the Force be with you!", because it is too long. No, brute forcing a passphrase of any length is impossible, unless you get clever and prioritize your search. And more clever is more better. Very subtle stuff. The day-to-day passphrase I use on my password encryption data is crazy big--only if you try to brute force it na?vely, yet unnervingly small if you know it's exact format (not telling). That's why I consider that singly-encrypted file to be very sensitive, something I don't want floating about, not without some extra layers of independent encryption around it. The difference between--on one hand--being able to brute-force my password passphrase with $5K of hardware and--on the other hand--being able to brute-force it will trillions of dollars precisely...never? Being clever and subtle in how you prioritize your search. A very big topic, something that has to account for "May the Force be with you!" and "correct horse battery staple" and "One MILLION dollars!", etc.* * May a big corpus be with you. -kb
- References:
- [Discuss] On "Simple" Brute Forcing Passwords Not Being Simple
- From: kentborg at borg.org (Kent Borg)
- [Discuss] On "Simple" Brute Forcing Passwords Not Being Simple
- Prev by Date: [Discuss] On "Simple" Brute Forcing Passwords Not Being Simple
- Next by Date: [Discuss] Yesterday's Cloudflare News and Online Password Managers...
- Previous by thread: [Discuss] On "Simple" Brute Forcing Passwords Not Being Simple
- Index(es):