password security
Barry Shein
bzs at Encore.COM
Wed Dec 21 10:44:33 AEST 1988
From: cory at gloom.UUCP (Cory Kempf)
>>Given a 100 character character set and 8 characters in a password
>>the search space is 100^8 which is:
>>
>> 10,000,000,000,000,000
>
>Except for one little problem... I don't think that the average
>secretary is capable of remembering a password like 'z&B_= ^W4'
The average secretary I know is bright enough to understand rules like
"use two short words with some upper-case letters and/or digits thrown
in and separated by a punctuation, like "Hey!Jude" "FidoIS#1". Very
hard to guess, very easy to remember, next...
>>500 billion seconds or almost 16,000 years. Even improving *that* by a
>>factor of 1,000 (ie. 20,000,000 encryptions per second) wouldn't leave
>>much hope for the cracker (16 continuous machine-years.)
>
>I wonder... with Thinking Machine's offer to allow people on the
>internet to access a Connection Machine, has anyone tried to write
>an algm. for brute force password testing for such a machine? (ie
>with 64k processors, each at 1000 encryptions a second it is down
>to about 3 mos. -- unfortunately, I don't know enough about the
>connection machine and DES to know how reasonable this is... (mean
>time 'till success would be around 1.5 months -- shorter if the seach
>is set up with a bit of forethought (ie start with unshifted keys, then
>shifted, then control, etc]
Cargo cult worship, each CM processor is not very fast (that's part of
the point, use lots of small processors and try to beat the
price-performance curves), I mean, we can fantasize and postulate a
machine which *can* break a password in some reasonable amount of time
at which point of course it becomes doable. But it doesn't exist, so
what's the point?
>Besides, it would make me feel better if someone who managed to
>watch me key in a password (I try to avoid this) had to catch
>more than 8 characters...
Well, if what we're really talking about is making you and others
*feel* better rather than trying to understand security a little
better and gauge effective methods to obtain reasonable security
levels then that explains everything. Perhaps security would be
improved on your system by throwing back a good double of Scotch?
-Barry Shein, ||Encore||
More information about the Comp.unix.wizards
mailing list