[Discuss] deadmanish login?
Kent Borg
kentborg at borg.org
Sun Feb 5 11:47:52 EST 2017
On 02/05/2017 10:19 AM, Richard Pieri wrote:
> It's not expensive and it's not subtle when you can build an entry
> level password guessing rig for about $5K:
An afternoon lark! Cheap and easy, just computerize it!
Jesus.
Okay, how long a password are you going to try to crack with that rig?
If I have a 13-character password, am I in the clear??
Do some arithmetic.
Say you have this fancy brute force rig, what do you run through it? How
about all 12-character passwords that use 7-bit ASCII.
That's 17,605,349,516,220,764,271,966,721 possibilities. And if you try
all the 11-character passwords, and all the 10-character passwords,
etc., it is even higher. But the 12-character passwords are the biggest
component of this example.
How fast can your nifty rig make trials? 1,000,000,000,000,000 a second?
I doubt it, but let's pretend it can. It will still take 558-years to
try all the 12-character passwords. 11-character passwords are extra.
And 13-character passwords are off the hook.
Stupid. Using stupid brute force is stupid! But if you are strategic
about about your search space, you might search a few million commonly
used passwords first, you might throw dictionaries at it, you might
throw Project Gutenberg at it--ah, but how? Do you search passwords in
my "a5-sensor-respect-price" format? If you search them knowing the
format the space is tiny compared to the enormous space to search in the
"it's not subtle" magic you are imagining. Only 40-bits of entropy went
into the generation of that password, are you really going to count on
finding it by thinking you can search a 120-bit space (37**33), or bigger?
Putting your $5,000 toy to work is going to require some serious
thinking, because when you look at the space you might try to search,
your $5,000 rig, impressive as it it, starts to look under-powered. And
buying 10 of them only scales linearly. If you think there is no subtly
in ordering your search space, you are going to only crack the worst
passwords.
Do some arithmetic.
-kb
More information about the Discuss
mailing list