Joseph
Guest
Posts: n/a

 01-21-2006
symbols, upper and lower case, over 8 characters and also be gibberish.
Obviously there must be a balance between strenth and using a password that
is at least memorable.

Not being a security expert, would anyone tell me how secure an 8 character
password would be consisting of numbers, upper and lower case letters and is
just gibberish, thus not prone to dictionary attacks.

Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
combinations.

How long would it take to crack a password of this complexity by brute
force?

Thank you

Arthur T.
Guest
Posts: n/a

 01-22-2006
In Message-ID:<uVzAf.416644\$ki.103302@pd7tw2no>,
"Joseph" <joseph388@@hotmail.com> wrote:

>Obviously there must be a balance between strenth and using a password that
>is at least memorable.

From what I read, most security experts are now suggesting
that you write down your passwords *and make sure that list is
secured*. (The equivalent is to keep them encrypted by a master
key that's very secure.) This is because of the large number of
passwords people now need. Of course, you shouldn't use the same

>Not being a security expert, would anyone tell me how secure an 8 character
>password would be consisting of numbers, upper and lower case letters and is
>just gibberish, thus not prone to dictionary attacks.
>
>Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
>combinations.
>
>How long would it take to crack a password of this complexity by brute
>force?

I'm also not a security expert, but the usual measure of a
key's security is number of bits of entropy. For truly random
data, you can find this from the log base 2 of the number of
bits. That's considered weak and easily crackable. DES is 56
bits and considered to be too easy to crack.

--
Arthur T. - ar23hur "at" speakeasy "dot" net
Looking for a good MVS systems programmer position

Winged
Guest
Posts: n/a

 01-22-2006
Joseph wrote:
> symbols, upper and lower case, over 8 characters and also be gibberish.
> Obviously there must be a balance between strenth and using a password that
> is at least memorable.
>
> Not being a security expert, would anyone tell me how secure an 8 character
> password would be consisting of numbers, upper and lower case letters and is
> just gibberish, thus not prone to dictionary attacks.
>
> Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
> combinations.
>
> How long would it take to crack a password of this complexity by brute
> force?
>
> Thank you
>
>

Winged

Donnie
Guest
Posts: n/a

 01-22-2006

"Joseph" <joseph388@@hotmail.com> wrote in message
news:uVzAf.416644\$ki.103302@pd7tw2no...

numbers,
> symbols, upper and lower case, over 8 characters and also be gibberish.
> Obviously there must be a balance between strenth and using a password

that
> is at least memorable.
>
> Not being a security expert, would anyone tell me how secure an 8

character
> password would be consisting of numbers, upper and lower case letters and

is
> just gibberish, thus not prone to dictionary attacks.

#################################
A dictionary attack only uses words in the dictionary, so if numbers and
other symbols are included, a dictionary attack is worthless. I've cracked
many passwds using John The Ripper and I never used wordlists. john -i
passwd_file That's it.
Of course most of those were dictionary passwds, some were pretty funny like
user frog, passwd leap, stupid things like that.
donnie
#################################
> Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
> combinations.
>
> How long would it take to crack a password of this complexity by brute
> force?
>
> Thank you
>

#######################################
Brute force is another story. If a passwd is strong, it could take forever
but that's when you move on to the next file or look for a weaker entry
point.
donnie.

George Orwell
Guest
Posts: n/a

 01-22-2006
Donnie wrote:

> A dictionary attack only uses words in the dictionary, so if numbers and
> other symbols are included, a dictionary attack is worthless. I've

Unless your dictionary has "numbers and other symbols" in it. Dictionary
attacks don't use "the" dictionary, they use a file or files full of
whatever the attacker chooses to put in them.

Also, there's other types of brute force attacks where the "dictionary" is
randomly generated on the fly, from whatever characters or "symbols" the
attacker configures.

Robert
Guest
Posts: n/a

 01-22-2006
On Sat, 21 Jan 2006 23:59:22 +0000, Joseph wrote:

> symbols, upper and lower case, over 8 characters and also be gibberish.
> Obviously there must be a balance between strenth and using a password that
> is at least memorable.

I always tell people to forget about using words for their passwords, use
phrases.

For example;

When It Rains It Pours But When The Sun Comes Out It's Warm
A Bird In The Hand Is Better Then Two In The Tree

Then use only the first letter of every word

thus having;
wiripbwtscoiw
abithibttitt

Then swap letters for numbers;
a=4 e=3 i=1 o=0 s=8 p=9 l=7

would translate to;
w1r19bwtsc01w
4b1th1bttb1tt

Other possible flips could be to use the number in place of the word e.i,

one=1 four=4 and so on.

You could also use the '&' in place for the word 'and'

You can make the flip anything you want but make it so that you will
remember what that flip is. Then add punctuation as needed.

Password generators are good to and their passwords have no reason behind
then and this makes them good but it also make it harder to remember them.

Also never use short phrases. At least 10 letter long. 15 or more is
even better.

There is no such thing as an in-crackable password. Given enough time all
passwords can and will be cracked. We just have to make it harder for the
cracker and hope that he will be caught before he can crack the password.

--

Regards
Robert

Smile... it increases your face value!

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Borked Pseudo Mailed
Guest
Posts: n/a

 01-22-2006
Joseph wrote:

> numbers, symbols, upper and lower case, over 8 characters and also be
> gibberish. Obviously there must be a balance between strenth and using a
> password that is at least memorable.
>
> Not being a security expert, would anyone tell me how secure an 8
> character password would be consisting of numbers, upper and lower case
> letters and is just gibberish, thus not prone to dictionary attacks.
>
> Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
> combinations.
>
> How long would it take to crack a password of this complexity by brute
> force?

At 100 guesses a second, it would take about 218.3 Billion seconds to try
every possible combination. You do the math, but I'm guessing in the
thousands of years.

Note that it's generally not necessary to try every combination. The rule
of thumb is half of them. The 50/50 point is what you want to focus on.

Dave Keays
Guest
Posts: n/a

 01-22-2006
Robert wrote:
> On Sat, 21 Jan 2006 23:59:22 +0000, Joseph wrote:
>
>
>>symbols, upper and lower case, over 8 characters and also be gibberish.
>>Obviously there must be a balance between strenth and using a password that
>>is at least memorable.

>
>
> I always tell people to forget about using words for their passwords, use
> phrases.
>
> For example;
>
> When It Rains It Pours But When The Sun Comes Out It's Warm
> A Bird In The Hand Is Better Then Two In The Tree
>
> Then use only the first letter of every word
>
> thus having;
> wiripbwtscoiw
> abithibttitt
>
> Then swap letters for numbers;
> a=4 e=3 i=1 o=0 s=8 p=9 l=7
>
> would translate to;
> w1r19bwtsc01w
> 4b1th1bttb1tt
>
> Other possible flips could be to use the number in place of the word e.i,
>
> one=1 four=4 and so on.
>
> You could also use the '&' in place for the word 'and'
>
> You can make the flip anything you want but make it so that you will
> remember what that flip is. Then add punctuation as needed.
>
> Password generators are good to and their passwords have no reason behind
> then and this makes them good but it also make it harder to remember them.
>
> Also never use short phrases. At least 10 letter long. 15 or more is
> even better.
>
> There is no such thing as an in-crackable password. Given enough time all
> passwords can and will be cracked. We just have to make it harder for the
> cracker and hope that he will be caught before he can crack the password.
>
>

What I tell people is to use a mangled passphrase that is complex and memorable,
and can be written down "securely". It usually looks like "l337 Sp3ak" (elite
speak) used by hackers.

What I do:
1) pick 3 words out of a book randomly so that don't relate to each other. (Each
word must be at least 4 characters long)

2) Remove all spaces and punctuation.

3) Capitalize all words.

4) change some lowercase letters to numbers (l=1, e=3, g=5, g=6, t=7, b=8, p=9)

5) change some lowercase letters to symbols (a=@, i=!, s=\$, x=*)

6) write the unmangled phrase down and keep it secure.

You now have a passphrase that is long, includes upper/lower case letters,
numbers and symbols. Those "random" words are difficult the first 2 or 3 times.
After that, the phrase sticks in your memory like the lyrics of a bad song.

Then if you've forgotten the phrase, get the written copy and mangle it in your

Example
phase 1: handed design change
phase 2: handeddesignchange
phase 3: HandedDesignChange
phase 4: Hand3dD3si6nChan63
phase 5: H@nd3dD3s!6nCh@n63

If they need a more secure phrase increase the size of the phrase with 5 or 6
words, use extended characters between the words, and throw a misspelling in.

<http://en.wikipedia.org/wiki/Extended_ASCII>

--

Dave Keays

Dave Keays
Guest
Posts: n/a

 01-23-2006
Borked Pseudo Mailed wrote:
> Joseph wrote:
>
>
>>numbers, symbols, upper and lower case, over 8 characters and also be
>>gibberish. Obviously there must be a balance between strenth and using a
>>password that is at least memorable.
>>

[snip]

>>How long would it take to crack a password of this complexity by brute
>>force?

>
> At 100 guesses a second, it would take about 218.3 Billion seconds to try
> every possible combination. You do the math, but I'm guessing in the
> thousands of years.

With the distributed computing capabilities today, it could be done a lot
sooner. With a botnet controlling 400,000 PCs it would take less than a day.
Just have one zombie check for "aaaa" to "aaaz" then next for "aaba" to "aabz".
I'm doing the math quick in my head so forgive me if I'm not accurate here.

I use the 400,000 number because someone was arrested for having a botnet that
size last November.

[snip]

--

Dave Keays

Borked Pseudo Mailed
Guest
Posts: n/a

 01-23-2006
Dave Keays wrote:

>> At 100 guesses a second, it would take about 218.3 Billion seconds to
>> try every possible combination. You do the math, but I'm guessing in the
>> thousands of years.

>
> With the distributed computing capabilities today, it could be done a lot
> sooner. With a botnet controlling 400,000 PCs it would take less than a
> day.

Not likely. 100 guesses a second was an out of thin ari number and likely
impossible to begin with. Regardless, if you're eating clock cycles like
that everything else on the machine is dog slow or dead. Your bots would
be dropping like flies. Which means you're going to have to figure out
some way of tracking which data chunk belongs to which bot and reassign it
AFTER you realize a bot is deceased, which is probably going to be after
the time it should have take to check its bit of data has passed.

And that's only if you can manage to figure out how to distribute the
cracking/tracking software and data to 400,000 machines without being
detected, outed as a "cyber terrorist", and put in jail for the next 20
years. At which time you might be able to start the whole process over.
With faster hardware of course.

It's not really about the raw numbers at this point of the discussion,
it's about the practicality of doing the work. Sure, enough machines could
do that work, but can you get them together and keep them together?