length of pw
in [Cryptography]
|
Prev: Call for papers: ISP-10, Orlando, USA, July 2010
Next: Question about polymorphic encryption used by some company
From: bmearns on 23 Feb 2010 22:42 On Feb 23, 7:31 pm, Gomar <rompho...(a)gmail.com> wrote: > On Feb 23, 9:42 am, bmearns <mearn...(a)gmail.com> wrote: [snip] > > I see you have a gmail account...interesting. > > pardon, sire, as do you. Yes, but I use more than 5 characters for my password.
From: bmearns on 24 Feb 2010 11:51 On Feb 23, 7:31 pm, Gomar <rompho...(a)gmail.com> wrote: > On Feb 23, 9:42 am, bmearns <mearn...(a)gmail.com> wrote: [snip] > using A-Z, a-z, 0-9 > 1 character pw has 62 possible combinations, and should take 5secs to > crack; > 2 - 3906 - 6m (trial run 1m) > 3 - 242234 - 7h10m > 4 - 15018570 - 20days > 5 - 931151402 - 3 years, 7 months > > beyond 5, number of combinations get ridiculous, much higher > than the age of the universe. > Thus, what's the point of above a 4 character pw and 128bit > encryption? I can pull numbers out of my butt, too, but it doesn't mean they're right. Where are you even getting these? Even if they were accurate, what makes you think 3 years and 7 months is unreasonable? Someone could start a script running today, and break into your email account by the time the next winter Olympics come around. Also as someone pointed out, adding a sixth character would not stretch the time to exceed the age of the universe (unless that character was chosen from a set of several billion). It would take another 6 characters to do that. Even 5 more characters would stretch your estimates to less than 4 billion years. I've got a python script running right now that's brute forcing a trial winzip archive with a 5 character password using your 62 character alphabet. The current estimate puts the max time at less than 540 days, so less than a year and a half. And of course, that's assuming it's the last password that the script tries. Now yes, a year and a half is a fairly long time, but it's certainly attainable and reasonable, especially considering I don't actually have to put any more effort into it, I just have to wait. But it obviously depends on the context: if the archive is going to be worthless in 3 days, then it's probably safe. If it will still be worth being able to break into it 5 years from now, it's not at all safe. My time estimate is for a single 3GHz core (admittedly, slightly faster than might be typical, but certainly not advanced tech), running interpreted code as just one of many processes. I could write the same script in a compiled language and probably speed things up a bit. I could kill a bunch of the other processes and speed things up significantly. I could have multiple copies of the script running at once (on different subsets of the solution space) and possibly get a good speed up, too. And of course, I could turn on my laptop and run it there with a different subset, and cut the time in half. I could run it on my other three computers as well and cut the time to a fifth (we're already inside of 4 months). Your average household might not have 5 computers, but it's certainly not a completely extraordinary scenario, and someone who makes their living (or even just a hobby) by cracking into other people's systems could very reasonably have this many or more. For that matter, anybody running a botnet could crack it in a matter of days, if not hours. There is also a ton of optimizations I could do on the script. It's calling operating system routines to get the time and report status, and it's performing unnecessary conditionals to decide whether or not status is worth reporting. It's currently reporting status about every 30 seconds, but I could cut this down to once per hour, once per day, or even not at all and save a bit of overhead. I could also unroll some of the loops. But the biggest delay in the script is the subprocess that invokes the zip utility. There's a lot of overhead to create and start the subprocess, plus the zip utility has it's own start-up overhead (parsing command line options, etc). The most relevant command offered by this utility is to test the archive, so it's probably doing quite a bit more than it would need to just to verify whether or not the password is correct. All of this overhead could be removed if I felt like implementing the actual decryption algorithm directly in my script. Running the same cracking script without actually invoking the zip utility completed in under 4 hours: insignificant compared to the time it will take with invoking the utility (less than 1/20th of a percent), which means practically all the cracking time comes from invoking the utility. Some additional testing shows that the time difference between invoking the utility on a password protected archive, versus one that is not password protected, is significantly less than 1%, meaning the time it actually takes the utility to determine if the password is correct or not is less than 1 percent of the total runtime for the utility. Implementing the decryption directly in the script, and therefore avoiding the call to the utility entirely, should therefore cut the time down to about 1%. We'll call it 5% to be conservative, and we're still down to less than 27 days. And that's still just one process on one computer. Put all 5 of my systems on it, and I can finish in less than a week. In conclusion, if you think a script-kiddie couldn't crack your 5 character password inside of two years, you're naive. If you think a halfway decent programmer couldn't crack your 5 character password in a few months, you're ignorant. And if you think the NSA or another government agency couldn't crack your 5 character password by the end of the week, you're just plain stupid. Sincerely your, -Brian
From: Gomar on 24 Feb 2010 11:53 On Feb 23, 10:42 pm, bmearns <mearn...(a)gmail.com> wrote: > On Feb 23, 7:31 pm, Gomar <rompho...(a)gmail.com> wrote: > > > On Feb 23, 9:42 am, bmearns <mearn...(a)gmail.com> wrote: > [snip] > > > I see you have a gmail account...interesting. > > > pardon, sire, as do you. > > Yes, but I use more than 5 characters for my password. So are you saying you could hack into my gmail account. by all means, please do. I do use 5 character pw so I could easily remember it. START...
From: Gomar on 24 Feb 2010 12:09 On Feb 23, 9:18 pm, g...(a)nope.ucsd.edu (Greg Rose) wrote: > >... > >5 - 931151402 - 3 years, 7 months > > >beyond 5, number of combinations get ridiculous, much higher > >than the age of the universe. > > No, actually, it goes up by a factor of 62 for > each character, so 6 is about 183 years. Not exactly the age of the universe. I said number of >COMBINATIONS< ... not how long it takes. No number can be higher than the age of the universe, which is about 15billion years old. From Winzip's help file: "In fact, taking maximum advantage of the full strength of AES encryption requires a password of approximately 32 characters for 128-bit encryption" Thus, 32 characters is how many combinations, and how long would it take to crack? How would you memorize 32 characters at all?
From: J.D. on 24 Feb 2010 12:12
> So are you saying you could hack into my gmail account. by all means, > please do. Do NOT do as this troll requests. Hacking email accounts without the permission of the account-holder is a felony in most jurisdictions, and there is no way to authenticate whether or not this person is in fact the account-holder. |