length of pw
in [Cryptography]
|
Prev: Call for papers: ISP-10, Orlando, USA, July 2010
Next: Question about polymorphic encryption used by some company
From: unruh on 24 Feb 2010 16:54 On 2010-02-24, Ertugrul S??ylemez <es(a)ertes.de> wrote: > Gomar <romphotog(a)gmail.com> wrote: > >> On Feb 23, 9:18??pm, g...(a)nope.ucsd.edu (Greg Rose) wrote: >> > >... >> > >5 - 931151402 - 3 years, 7 months >> > >> > >beyond 5, number of combinations get ridiculous, much higher than >> > >the age of the universe. >> > >> > No, actually, it goes up by a factor of 62 for each character, so 6 >> > is about 183 years. Not exactly the age of the universe. >> >> I said number of >COMBINATIONS< ... not how long it takes. No number >> can be higher than the age of the universe, which is about 15billion >> years old. > > Oh, there is this strange number, which breaks the law. It's 16 > billion. > > >> From Winzip's help file: "In fact, taking maximum advantage of the >> full strength of AES encryption requires a password of approximately >> 32 characters for 128-bit encryption" >> >> Thus, 32 characters is how many combinations, and how long would it >> take to crack? > > This is a misunderstanding and wrong also. The attacker can always > choose whether to attack the password or the key derived from it. > Attacking the password is usually faster. > > You need 28 random lowercase letters to exploit the full key size of 128 > bits. In other words: As soon as your password is made up of 28 random > lowercase letters, it doesn't make a difference, whether the attacker > chooses to attack your password or the key derived from it. > > >> How would you memorize 32 characters at all? > > You don't have to. Passwords shorter than 28 characters are still > secure, but the attacker will have an advantage when attacking the > password instead of the raw key. Nonetheless this advantage is Just to pick nits, the advantage is huge ( eg if you choose say 20 instead of 28 characters, the advantage to attacking the password is 26^8=2 10^11-- ie almost a trillion times faster. Of course if you look at the number itself, 26^20=2 10^29 which is pretty impossible to get by brute force, so in that sense you are right but the advantage is still far from negligible. .. > neglible, when your password is long enough. As a side note, five > characters are not enough. > Agreed.
From: Gomar on 25 Feb 2010 20:32 On Feb 24, 11:51 am, bmearns <mearn...(a)gmail.com> wrote: > > I can pull numbers out of my butt, too, but it doesn't mean they're > right. Where are you even getting these? Even if they were accurate, I got these stats, not from my butt, but from 2 winzip/rar cracking programs: http://www.elcomsoft.com/archpr.html and http://www.RARPasswordCracker.com In fact, using a calculator you could've confirmed the above. Which BTW I am surprised you've never seen these numbers. So you were not familiar with these stats since you claim to be a crypto expert and post 5 paragraphs. > I've got a python script running right now that's brute forcing a > trial winzip archive with a 5 character password using your 62 > character alphabet. The current estimate puts the max time at less > than 540 days, so less than a year and a half. And of course, that's huh? I do not own, neither recall inventing any 62 character alphabet. Ok, so it takes 6 months to crack a 5 character pw. Fine. > government agency couldn't crack your 5 character password by the end > of the week, you're just plain stupid. Ok, cool, I am sure the NSA with its CRAY clunkers will devote its time to cracking my pws. LOL! I'll just use a foreign alphabet, Hindi, Greek, Chinese or Arabic or a mixture of 10 different languages.
From: Gomar on 25 Feb 2010 20:34 On Feb 24, 12:12 pm, "J.D." <degolyer...(a)yahoo.com> wrote: > and there is no way to authenticate whether or not this person is in > fact the account-holder. let me get this straight. I am posting from this account, but I am not its holder. got it.
From: Gomar on 25 Feb 2010 20:48 On Feb 24, 12:12 pm, "J.D." <degolyer...(a)yahoo.com> wrote: > > So are you saying you could hack into my gmail account. by all means, > > please do. > > Do NOT do as this troll requests. Hacking email accounts without the > permission of the account-holder is a felony in most jurisdictions, > and there is no way to authenticate whether or not this person is in > fact the account-holder. So perhaps I hacked into someone's gmail account and am using it to post to this ng in order to get you wise old learned men to hack into it for me... ok. got it. BTW, I aint a troll. I iz a leprechaun.
From: Gomar on 25 Feb 2010 20:56
On Feb 24, 1:34 pm, bmearns <mearn...(a)gmail.com> wrote: > > write it down somewhere secure. If your attacker has access to > whatever secure location you keep your password in (like your wallet well, if you travel and want to read your email at a hotel, or at school, or at work, or your wife has access to your primary email, you need to use hotmail or gmail. Write it down? Are you saying you type in 32 characters every time you log in? Also, if you use different pws for different accounts, that's like 20 pws X 32 = 640 characters. |