John Hyde
Guest
Posts: n/a

 01-24-2006
on 1/24/2006 12:22 AM Lars said the following:
> If you use letters, numbers, symbols and notprintable characters such
> as esc, and other commands, the real number of password combinations
> would be 256^n diffrent ones, where n is the number of characters in
> diffrent pwd combinations. thats alot.
>

Yeah, 7.2e16 . . . Far less than my example of a 10 digit pass with a
smaller character set. 81^10 = 2.1e19. Use your character set and you
get the same place with 8 digits. (1.8e19).

The point is not to play silly math games. The point is to demonstrate
that a relatively small increase in password length can have a profound
effect on the strength of the password.

JH

cypher
Guest
Posts: n/a

 01-28-2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Borked Pseudo Mailed <(E-Mail Removed)> wrote in
news:(E-Mail Removed) d.net:

> Joseph wrote:
>
>> that contain numbers, symbols, upper and lower case, over
>> 8 characters and also be gibberish. Obviously there must
>> be a balance between strenth and using a password that is
>> at least memorable.
>>
>> Not being a security expert, would anyone tell me how
>> secure an 8 character password would be consisting of
>> numbers, upper and lower case letters and is just
>> gibberish, thus not prone to dictionary attacks.
>>
>> Doing the math, I see
>> 62*62*62*62*62*62*62*62=218,340,105,584,896 combinations.
>>
>> How long would it take to crack a password of this
>> complexity by brute force?

For 128 bit password you need 16 characters.
1 Byte=8 bits 16*8=128
8*8=64
Your password could be 64 bits strong, but only if you would
use upper and lower alphabetic characters, numbers, special
characters and *higher ANSI characters*. You are using only a
part from that, and probably not perfectly random, so you
password is *much* less than 64 bits strong (usually 40 bits
or even less).

"RSA Laboratories
Recommended Key Sizes"

http://www.nullify.org/openpgp.html

"Minimum symmetric security level 80 bits-Protection Lifetime
of Data 2010, Minimum symmetric security level 112

Like you see you need minimum 80 bits (or better 90 bits)
strong password for your data if you want them to stay secure
next few years. For such protection 12 *random* characters
(96 bits) would be sufficient (theoretically). If you are
using a strong cryptosystem, password has to be minimum 16
characters long, and because you are not using all possible
characters and the password is probably not truly random,
lenght of 25 or more characters is recommended.

minimum 12 characters, for strong cryptosystems 25 or more.

> At 100 guesses a second, it would take about 218.3 Billion
> seconds to try every possible combination. You do the math,
> but I'm guessing in the thousands of years.

LC5 (L0pth Crack-a Windows password audit and recovery tool)
is working on my machine with speed about 5 000 000
combinations per second when cracking hashes from Windows SAM
file. (brute force method) Good strong cryposystems are
slowing down password cracking speed, but it is still a big
number.

October 15, 1999
by Bruce Schneier
http://www.schneier.com/

"(...)Many keys are generated from passwords or passphrases.
A system that accepts 10-character ASCII passwords might
require 80 bits to represent, but has much less than 80 bits
of entropy. High-order ASCII bytes won't appear at all, and
passwords that are real words (or close to real words) are
much more likely than random character strings. I've seen
entropy estimates of standard English at 1.3 bits per
character; passwords probably have less than 4 bits of
entropy per character. This means that a 6-character
passphrase is about the same as a 32-bit key, and if you want
a 128-bit key you are going to need a 98-character English
passphrase.(...)

(...)Some have dealt with this problem by requiring stronger
and stronger passwords, but that is no longer effective. Over
brute-force larger and larger entropy keys. At the same time,
there is a maximum to the entropy that the average computer
user (or even the above-average computer user) is willing to
remember. You can't expect him to memorize a 32-character
random hexadecimal string, but that's what has to happen if
he is to memorize a 128-bit key. These two numbers have
crossed; password crackers can now break anything that you
can reasonably expect a user to memorize. Good passwords are
difficult to memorize, he will complain, but this difficulty
is precisely why they are considered good.(...)"

Regards,
cypher

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ9uKQiPnLg7nPH4AEQKZcgCg1tRyvAto2c3tsKEQ22xm2G r5CZ0AoJXH
vYT9OVhEm3gwgnx4SwYrkOIf
=m1dz
-----END PGP SIGNATURE-----