Yet Another useful paper
Barry Shein
bzs at Encore.COM
Sun Dec 18 03:04:53 AEST 1988
>As far as UNIX passwords, it further justifies the use of a shadow
>password file and the use of 64 character pass phrases.
>
>--
>=Dennis L. Mumaugh
Why? Because it shows a 20x speedup possibility? Let's do the
arithmetic again...
Given a 100 character character set and 8 characters in a password
the search space is 100^8 which is:
10,000,000,000,000,000
Currently even fast DES implementations on fast processors can't seem
to hit 1,000 encryptions per second although it's probably possible,
let's allow 20,000 encryptions per second, a brute force search would
now take:
500,000,000,000
500 billion seconds or almost 16,000 years. Even improving *that* by a
factor of 1,000 (ie. 20,000,000 encryptions per second) wouldn't leave
much hope for the cracker (16 continuous machine-years.)
Drop down to a 64 character set and we get a search space of:
281,474,976,710,656
which still takes 450 years to search completely at 20,000 encryptions
per second (even using arguments which say on average one only has to
search half the space this isn't too encouraging to a cracker.)
Improving by 1,000 further (a highly improbable event in the near
future) still reduces this to 6 months absolute dedicated machine time
on a machine or machine configuration (eg. parallel) which makes a
Cray-3 look like $4.99 pocket calculator.
If someone has access to those kinds of resources and wants into your
account they can hire a small army and hijack your computer much
cheaper and less visably.
Let's face it folks, at these fantastic rates the following methods
would be far more effective:
1. Have a dirty tricks agency plant a video camera
in your office ceiling which transmits images of you
keying in your password.
2. Tap your network.
3. Bribe key personnel in your area to get whatever it
is they really want.
4. Purchase your company, even AT&T.
Dennis, without further justification for your position/conclusion I
claim you're grasping for straws and succumbing to mob mentality.
-Barry Shein, ||Encore||
More information about the Comp.unix.wizards
mailing list