length of pw
in [Cryptography]
|
Prev: Call for papers: ISP-10, Orlando, USA, July 2010
Next: Question about polymorphic encryption used by some company
From: Gomar on 25 Feb 2010 21:28 On Feb 24, 2:33 pm, Paulo Marques <pmarq...(a)grupopie.com> wrote: > > 5 - 931151402 - 3 years, 7 months > > Updating the table to some actual real numbers instead of fictional ones: > > 5 - 916132832 / 10000/s -> ~ 1 day > > All this is for a completely random 5 character combination, not a You are correct ONLY if you know that the pw is 5 characters. Otherwise, you have to start at 1 and go up to 5. run the programs in my links, and enter 1 as min, 5 as max.
From: bmearns on 25 Feb 2010 22:55 On Feb 25, 8:32 pm, Gomar <rompho...(a)gmail.com> wrote: > On Feb 24, 11:51 am, bmearns <mearn...(a)gmail.com> wrote: > > > > > I can pull numbers out of my butt, too, but it doesn't mean they're > > right. Where are you even getting these? Even if they were accurate, > > I got these stats, not from my butt, but from 2 winzip/rar cracking > programs:http://www.elcomsoft.com/archpr.html > andhttp://www.RARPasswordCracker.com Lovely, we generally like to cite our references when we make them, not just upon request. > In fact, using a calculator you could've confirmed the above. Only given a base estimate which you provided but without reference, and which I then demonstrated was an unrealistic estimate, anyway. Just because these two programs take that long doesn't mean that's as fast as it can be done, and doesn't mean that it would require some kind of advanced technology to do it faster. > Which > BTW I am surprised > you've never seen these numbers. So you were not familiar with these > stats since you claim to > be a crypto expert and post 5 paragraphs. I never claimed to be a crypto expert, I am very much a crypto amateur. I wrote 5 paragraphs because your original message indicated that you were either a troll or ignorant about cryptography and computers. I gave you the benefit of the doubt and assumed you were not a troll. I must admit, you fooled me there. > > > I've got a python script running right now that's brute forcing a > > trial winzip archive with a 5 character password using your 62 > > character alphabet. The current estimate puts the max time at less > > than 540 days, so less than a year and a half. And of course, that's > > huh? I do not own, neither recall inventing any 62 character alphabet. Well maybe you should check back a few days in this thread. Here, let me refresh your memory: On Feb 23, 7:31 pm, Gomar <rompho...(a)gmail.com> wrote: [snip] > using A-Z, a-z, 0-9 > 1 character pw has 62 possible combinations, and should take 5secs to > crack; The alphabet consisting of A-Z, a-z, 0-9 has 62 characters as you yourself pointed out. > Ok, so it takes 6 months to crack a 5 character pw. Fine. Perfect, so your original assertion which started this thread, that a 5 character password is "good enough", is demonstrably wrong. > > > government agency couldn't crack your 5 character password by the end > > of the week, you're just plain stupid. > > Ok, cool, I am sure the NSA with its CRAY clunkers will devote its > time to cracking my pws. LOL! Fair enough, but that doesn't invalidate the point that a 5 character password has been shown to be quite weak. > I'll just use a foreign alphabet, Hindi, Greek, Chinese or Arabic or a > mixture of 10 different languages. Well that's still more to remember: why not just use a 10 character password with the English alphabet? The strength of the password is directly correlated to the number of possible values it can take on, and so is the difficulty of memorizing it.
From: bmearns on 25 Feb 2010 23:05 On Feb 25, 8:56 pm, Gomar <rompho...(a)gmail.com> wrote: > On Feb 24, 1:34 pm, bmearns <mearn...(a)gmail.com> wrote: [snip] > > write it down somewhere secure. If your attacker has access to > > whatever secure location you keep your password in (like your wallet > > well, if you travel and want to read your email at a hotel, or at > school, or at work, So put it in your wallet. > or your wife has access to your primary email, you need to use hotmail > or gmail. What does using hotmail or gmail have to do with it? And you don't trust your wife's ability to use a secure password? Is she as dense as you are? > Write it down? Are you saying you type in 32 characters every time > you log in? Actually, I have a 10 character password. Yes, I have memorized it and I type it in every time. > Also, if you use different pws for different accounts, that's like 20 > pws X 32 = 640 characters. First, there are ways around this. For instance, I have a core 10 character very-secure password that I've comitted to memory. To generate passwords for different accounts, I append some simple description of the account (like "gmail") and then hash the concatenated value and submit that as my password. It allows me to use a different password without having to memorize a ton of different strong passwords, and yet if any one password is compromised it will not cause the others to be compromised. Granted, it is a bit of a nuisance to need access to an implementation of the hash whenever I need to log in. That brings me to my second point. You need to pick your argument: are you trying to say that more than 5 characters is unnecessary or that it is impractical? You're basically wrong on both accounts, but it would really be in your best interest to choose one or the other, or at least to keep the arguments separate. Claiming that a strong password with more than 5 characters is too difficult to use in no way lessens the importance of doing so. -Brian
From: bmearns on 25 Feb 2010 23:06 On Feb 25, 8:34 pm, Gomar <rompho...(a)gmail.com> wrote: > On Feb 24, 12:12 pm, "J.D." <degolyer...(a)yahoo.com> wrote: > > > and there is no way to authenticate whether or not this person is in > > fact the account-holder. > > let me get this straight. I am posting from this account, but I am > not its holder. > got it. It is more or less trivial to forge the From: header in an email message so that it appears to be coming from a different account.
From: J.D. on 25 Feb 2010 23:15
> BTW, I aint a troll. I iz a leprechaun. Fine. Tell me where the gold is or you die....slow. |