Discussion in 'Computer Security' started by Joseph, Jan 21, 2006.

1. JosephGuest

symbols, upper and lower case, over 8 characters and also be gibberish.
Obviously there must be a balance between strenth and using a password that
is at least memorable.

Not being a security expert, would anyone tell me how secure an 8 character
password would be consisting of numbers, upper and lower case letters and is
just gibberish, thus not prone to dictionary attacks.

Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
combinations.

How long would it take to crack a password of this complexity by brute
force?

Thank you

Joseph, Jan 21, 2006

2. Arthur T.Guest

In Message-ID:<uVzAf.416644\$ki.103302@pd7tw2no>,
"Joseph" <joseph388@@hotmail.com> wrote:

>Obviously there must be a balance between strenth and using a password that
>is at least memorable.

From what I read, most security experts are now suggesting
that you write down your passwords *and make sure that list is
secured*. (The equivalent is to keep them encrypted by a master
key that's very secure.) This is because of the large number of
passwords people now need. Of course, you shouldn't use the same

>Not being a security expert, would anyone tell me how secure an 8 character
>password would be consisting of numbers, upper and lower case letters and is
>just gibberish, thus not prone to dictionary attacks.
>
>Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
>combinations.
>
>How long would it take to crack a password of this complexity by brute
>force?

I'm also not a security expert, but the usual measure of a
key's security is number of bits of entropy. For truly random
data, you can find this from the log base 2 of the number of
bits. That's considered weak and easily crackable. DES is 56
bits and considered to be too easy to crack.

--
Arthur T. - ar23hur "at" speakeasy "dot" net
Looking for a good MVS systems programmer position

Arthur T., Jan 22, 2006

3. WingedGuest

Joseph wrote:
> symbols, upper and lower case, over 8 characters and also be gibberish.
> Obviously there must be a balance between strenth and using a password that
> is at least memorable.
>
> Not being a security expert, would anyone tell me how secure an 8 character
> password would be consisting of numbers, upper and lower case letters and is
> just gibberish, thus not prone to dictionary attacks.
>
> Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
> combinations.
>
> How long would it take to crack a password of this complexity by brute
> force?
>
> Thank you
>
>

Winged

Winged, Jan 22, 2006
4. DonnieGuest

"Joseph" <joseph388@@hotmail.com> wrote in message
news:uVzAf.416644\$ki.103302@pd7tw2no...

numbers,
> symbols, upper and lower case, over 8 characters and also be gibberish.
> Obviously there must be a balance between strenth and using a password

that
> is at least memorable.
>
> Not being a security expert, would anyone tell me how secure an 8

character
> password would be consisting of numbers, upper and lower case letters and

is
> just gibberish, thus not prone to dictionary attacks.

#################################
A dictionary attack only uses words in the dictionary, so if numbers and
other symbols are included, a dictionary attack is worthless. I've cracked
many passwds using John The Ripper and I never used wordlists. john -i
passwd_file That's it.
Of course most of those were dictionary passwds, some were pretty funny like
user frog, passwd leap, stupid things like that.
donnie
#################################
> Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
> combinations.
>
> How long would it take to crack a password of this complexity by brute
> force?
>
> Thank you
>

#######################################
Brute force is another story. If a passwd is strong, it could take forever
but that's when you move on to the next file or look for a weaker entry
point.
donnie.

Donnie, Jan 22, 2006
5. George OrwellGuest

Donnie wrote:

> A dictionary attack only uses words in the dictionary, so if numbers and
> other symbols are included, a dictionary attack is worthless. I've

Unless your dictionary has "numbers and other symbols" in it. Dictionary
attacks don't use "the" dictionary, they use a file or files full of
whatever the attacker chooses to put in them.

Also, there's other types of brute force attacks where the "dictionary" is
randomly generated on the fly, from whatever characters or "symbols" the
attacker configures.

George Orwell, Jan 22, 2006
6. RobertGuest

On Sat, 21 Jan 2006 23:59:22 +0000, Joseph wrote:

> symbols, upper and lower case, over 8 characters and also be gibberish.
> Obviously there must be a balance between strenth and using a password that
> is at least memorable.

I always tell people to forget about using words for their passwords, use
phrases.

For example;

When It Rains It Pours But When The Sun Comes Out It's Warm
A Bird In The Hand Is Better Then Two In The Tree

Then use only the first letter of every word

thus having;
wiripbwtscoiw
abithibttitt

Then swap letters for numbers;
a=4 e=3 i=1 o=0 s=8 p=9 l=7

would translate to;
w1r19bwtsc01w
4b1th1bttb1tt

Other possible flips could be to use the number in place of the word e.i,

one=1 four=4 and so on.

You could also use the '&' in place for the word 'and'

You can make the flip anything you want but make it so that you will
remember what that flip is. Then add punctuation as needed.

Password generators are good to and their passwords have no reason behind
then and this makes them good but it also make it harder to remember them.

Also never use short phrases. At least 10 letter long. 15 or more is
even better.

There is no such thing as an in-crackable password. Given enough time all
passwords can and will be cracked. We just have to make it harder for the
cracker and hope that he will be caught before he can crack the password.

--

Regards
Robert

Smile... it increases your face value!

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Robert, Jan 22, 2006
7. Borked Pseudo MailedGuest

Joseph wrote:

> numbers, symbols, upper and lower case, over 8 characters and also be
> gibberish. Obviously there must be a balance between strenth and using a
> password that is at least memorable.
>
> Not being a security expert, would anyone tell me how secure an 8
> character password would be consisting of numbers, upper and lower case
> letters and is just gibberish, thus not prone to dictionary attacks.
>
> Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
> combinations.
>
> How long would it take to crack a password of this complexity by brute
> force?

At 100 guesses a second, it would take about 218.3 Billion seconds to try
every possible combination. You do the math, but I'm guessing in the
thousands of years.

Note that it's generally not necessary to try every combination. The rule
of thumb is half of them. The 50/50 point is what you want to focus on.

Borked Pseudo Mailed, Jan 22, 2006
8. Dave KeaysGuest

Robert wrote:
> On Sat, 21 Jan 2006 23:59:22 +0000, Joseph wrote:
>
>
>>symbols, upper and lower case, over 8 characters and also be gibberish.
>>Obviously there must be a balance between strenth and using a password that
>>is at least memorable.

>
>
> I always tell people to forget about using words for their passwords, use
> phrases.
>
> For example;
>
> When It Rains It Pours But When The Sun Comes Out It's Warm
> A Bird In The Hand Is Better Then Two In The Tree
>
> Then use only the first letter of every word
>
> thus having;
> wiripbwtscoiw
> abithibttitt
>
> Then swap letters for numbers;
> a=4 e=3 i=1 o=0 s=8 p=9 l=7
>
> would translate to;
> w1r19bwtsc01w
> 4b1th1bttb1tt
>
> Other possible flips could be to use the number in place of the word e.i,
>
> one=1 four=4 and so on.
>
> You could also use the '&' in place for the word 'and'
>
> You can make the flip anything you want but make it so that you will
> remember what that flip is. Then add punctuation as needed.
>
> Password generators are good to and their passwords have no reason behind
> then and this makes them good but it also make it harder to remember them.
>
> Also never use short phrases. At least 10 letter long. 15 or more is
> even better.
>
> There is no such thing as an in-crackable password. Given enough time all
> passwords can and will be cracked. We just have to make it harder for the
> cracker and hope that he will be caught before he can crack the password.
>
>

What I tell people is to use a mangled passphrase that is complex and memorable,
and can be written down "securely". It usually looks like "l337 Sp3ak" (elite
speak) used by hackers.

What I do:
1) pick 3 words out of a book randomly so that don't relate to each other. (Each
word must be at least 4 characters long)

2) Remove all spaces and punctuation.

3) Capitalize all words.

4) change some lowercase letters to numbers (l=1, e=3, g=5, g=6, t=7, b=8, p=9)

5) change some lowercase letters to symbols (a=@, i=!, s=\$, x=*)

6) write the unmangled phrase down and keep it secure.

You now have a passphrase that is long, includes upper/lower case letters,
numbers and symbols. Those "random" words are difficult the first 2 or 3 times.
After that, the phrase sticks in your memory like the lyrics of a bad song.

Then if you've forgotten the phrase, get the written copy and mangle it in your

Example
phase 1: handed design change
phase 2: handeddesignchange
phase 3: HandedDesignChange
phase 4: Hand3dD3si6nChan63
phase 5: H@nd3dD3s!6nCh@n63

If they need a more secure phrase increase the size of the phrase with 5 or 6
words, use extended characters between the words, and throw a misspelling in.

<http://en.wikipedia.org/wiki/Extended_ASCII>

--

Dave Keays

Dave Keays, Jan 22, 2006
9. Dave KeaysGuest

Borked Pseudo Mailed wrote:
> Joseph wrote:
>
>
>>numbers, symbols, upper and lower case, over 8 characters and also be
>>gibberish. Obviously there must be a balance between strenth and using a
>>password that is at least memorable.
>>

[snip]

>>How long would it take to crack a password of this complexity by brute
>>force?

>
> At 100 guesses a second, it would take about 218.3 Billion seconds to try
> every possible combination. You do the math, but I'm guessing in the
> thousands of years.

With the distributed computing capabilities today, it could be done a lot
sooner. With a botnet controlling 400,000 PCs it would take less than a day.
Just have one zombie check for "aaaa" to "aaaz" then next for "aaba" to "aabz".
I'm doing the math quick in my head so forgive me if I'm not accurate here.

I use the 400,000 number because someone was arrested for having a botnet that
size last November.

[snip]

--

Dave Keays

Dave Keays, Jan 23, 2006
10. Borked Pseudo MailedGuest

Dave Keays wrote:

>> At 100 guesses a second, it would take about 218.3 Billion seconds to
>> try every possible combination. You do the math, but I'm guessing in the
>> thousands of years.

>
> With the distributed computing capabilities today, it could be done a lot
> sooner. With a botnet controlling 400,000 PCs it would take less than a
> day.

Not likely. 100 guesses a second was an out of thin ari number and likely
impossible to begin with. Regardless, if you're eating clock cycles like
that everything else on the machine is dog slow or dead. Your bots would
be dropping like flies. Which means you're going to have to figure out
some way of tracking which data chunk belongs to which bot and reassign it
AFTER you realize a bot is deceased, which is probably going to be after
the time it should have take to check its bit of data has passed.

And that's only if you can manage to figure out how to distribute the
cracking/tracking software and data to 400,000 machines without being
detected, outed as a "cyber terrorist", and put in jail for the next 20
years. At which time you might be able to start the whole process over.
With faster hardware of course. ;-)

It's not really about the raw numbers at this point of the discussion,
it's about the practicality of doing the work. Sure, enough machines could
do that work, but can you get them together and keep them together?

Borked Pseudo Mailed, Jan 23, 2006
11. WingedGuest

Dave Keays wrote:
> Borked Pseudo Mailed wrote:
>
>>Joseph wrote:
>>
>>
>>
>>>numbers, symbols, upper and lower case, over 8 characters and also be
>>>gibberish. Obviously there must be a balance between strenth and using a
>>>password that is at least memorable.
>>>

>
> [snip]
>
>
>>>How long would it take to crack a password of this complexity by brute
>>>force?

>>
>>At 100 guesses a second, it would take about 218.3 Billion seconds to try
>>every possible combination. You do the math, but I'm guessing in the
>>thousands of years.

>
>
> With the distributed computing capabilities today, it could be done a lot
> sooner. With a botnet controlling 400,000 PCs it would take less than a day.
> Just have one zombie check for "aaaa" to "aaaz" then next for "aaba" to "aabz".
> I'm doing the math quick in my head so forgive me if I'm not accurate here.
>
> I use the 400,000 number because someone was arrested for having a botnet that
> size last November.
>
> [snip]
>

Assuming a dedicated botnet of 400,000 and the calculation of 17 years
for a complex 8 digit password for a single computer and assuming
dedicated efficiency would equate to 22.5 minutes (rough) to try every
possible combination. While these efficiencies could never be achieved
and for technical reasons a number of other issues come into play (such
as trying each by brute force) against a host would surely catch
someones attention. That said it is significant easier to crack "IF"
the attacker has a copy of the SAM or password file. Properly
configuring a system to time out after 3 missed attempts for 15 minutes
slows external brute force attacks however does nothing to stop someone
who has snagged the appropriate file or communication.

Encryption methods used for authentication (either NTLS or SSL) can be
broken if sniffed with significantly less effort. SSL is a piece of
cake if one has captured both sides of the communication stream due to
inherent weakness in the method (not the encryption algorithm itself).

This said there are usually easier methods to penetrate busy networks.
If one footprints the victims network well, there is usually an easier
way in.

Winged

Winged, Jan 23, 2006
12. John HydeGuest

on 1/21/2006 3:59 PM Joseph said the following:
> symbols, upper and lower case, over 8 characters and also be gibberish.
> Obviously there must be a balance between strenth and using a password that
> is at least memorable.
>
> Not being a security expert, would anyone tell me how secure an 8 character
> password would be consisting of numbers, upper and lower case letters and is
> just gibberish, thus not prone to dictionary attacks.
>
> Doing the math, I see 62*62*62*62*62*62*62*62=218,340,105,584,896
> combinations.
>
> How long would it take to crack a password of this complexity by brute
> force?
>
> Thank you
>
>

As others have suggested, it really depends on how many combinations per
second an attacker can try.

Your example is 2.18e14 combinations (2.18 x 10^14)
The number of seconds per year: 3.15e7

If an attacker can "try" one per second, on average, then it will take
about 7 million years. (6.9e6) (Yes, as other commentators said, you
really are looking at the 50/50. So divide all my results by 2 if you must)

Now that's an actual calculated number, but for the purposes of
discussion, remember you can divide by subtracting exponents. So the
exponents become very important. Add three to the exponent, and you
multiply the difficulty by 1000.

Example, Just adding two digits, so the password is at least 10
characters makes it 62^10 or 8.4e17. In one try per second land, it now
takes 26 Billion years, a truly significant leap in entropy. To that,
allow the following 19 characters: !@#\$%^&*(){}[]<>?~`. Now the
attacker must try 81^10 combinations, 1.21e19. Now, we're really talking!

The practical problem, as many have mentioned, is the difficulty of
creating, remembering and protecting such a password.

Cheers,

JH

John Hyde, Jan 24, 2006

Most of the pro's that have written about the subject suggest a
password with a length of 10-13 random characters for the best
security. The little extra length adds allot more calculations to a
brute force attack. We have a free password generator link on our web
site and a free password protection program (blowfish encryption) that

You'll only need to remember one pass to get into the program. Bruce
Schneir wrote it. It saves getting into the habbit of writting down

Regards

* www.privacyoffshore.net (no logs Internet)
* Anonymous Secure Offshore SHH-2 Surfing Tunnels
* Anonymous Mail & News through SHH-2 Tunnels
* Free Resources and Privacy Software

14. DonnieGuest

>
> If an attacker can "try" one per second, on average, then it will take
> about 7 million years. (6.9e6) (Yes, as other commentators said, you
> really are looking at the 50/50. So divide all my results by 2 if you

must)
>

##############################################
Here are some passwds for servers running Front Page (right column).
test (iqstech)
pdgt ( rkm)
4210 ( esven)
rules (ahold)
Look how weak they are It took John The Ripper about 4 minutes to crack
them. That's 4 out of 31 in the file that I created.
I'll let JTR run on the file for no more than 2 days at the most. Noone in
their right mind is going to spend months trying to crack them unless it's
one company trying to find out what their competitor is doing or something
else that might mean a lot of money and if it means that much, I'm sure they
will look for another way to enter. The point is that it's just not
necessary to ANALyse passwds that much. If you force your users to go w/
the 8 mixed characters or more or as someone said, use phrases, that's the
end of the story. BTW, if you're using front page, make sure that
donnie

Donnie, Jan 24, 2006
15. Borked Pseudo MailedGuest

Spammer.

It's not necessary to go through your data mining site to get Password
Safe. Here is the actual URL people....

> * www.privacyoffshore.net (no logs Internet) * Anonymous Secure Offshore

Bradenton, Florida is off shore now? Or did you mean off shore from some
other perspective?

> SHH-2 Surfing Tunnels * Anonymous Mail & News through SHH-2 Tunnels * Free
> Resources and Privacy Software

Anonymous, Eh? Perhaps you can explain how you can offer any real
anonymity in light of the fact that you're a subscription based, single
point of contact, and open to easy traffic analysis as a result of
being real time...??

Why are you using squid if you're not logging?

Where would these alleged "off shore" servers reside? Care to name them?
Or are you afraid to have them scrutinized? Maybe they're not as off shore
as you claim?

Over half your "advertised" servers are inside EU member nations. Are you
unaware of the recent developments regarding forced logging of ALL
connection data in those member nations? The forced log retention? Or do
you just not care?

Why do you still have servers in Hong Kong after it's been shown that it's
easier to force information out of that Government than it is to get it
(legally) in the US?

Why are you stealing bandwidth from the Tor network for your profit? If
you're really an ANONYMOUS service, why would you need it?

Are you going to be just like the rest of your puppet service's puppets
and dodge these honest questions?

I'm betting you will......

Borked Pseudo Mailed, Jan 24, 2006
16. Dave KeaysGuest

Winged wrote:
> Dave Keays wrote:
>
>> Borked Pseudo Mailed wrote:
>>
>>> Joseph wrote:
>>>
>>>
>>>
>>>> numbers, symbols, upper and lower case, over 8 characters and also be
>>>> gibberish. Obviously there must be a balance between strenth and
>>>> using a
>>>> password that is at least memorable.
>>>>

>>
>> [snip]
>>
>>
>>>> How long would it take to crack a password of this complexity by brute
>>>> force?
>>>
>>>
>>> At 100 guesses a second, it would take about 218.3 Billion seconds to
>>> try
>>> every possible combination. You do the math, but I'm guessing in the
>>> thousands of years.

>>
>>
>>
>> With the distributed computing capabilities today, it could be done a lot
>> sooner. With a botnet controlling 400,000 PCs it would take less than
>> a day.
>> Just have one zombie check for "aaaa" to "aaaz" then next for "aaba"
>> to "aabz".
>> I'm doing the math quick in my head so forgive me if I'm not accurate
>> here.
>>
>> I use the 400,000 number because someone was arrested for having a
>> botnet that
>> size last November.
>>
>> [snip]
>>

> Assuming a dedicated botnet of 400,000 and the calculation of 17 years
> for a complex 8 digit password for a single computer and assuming
> dedicated efficiency would equate to 22.5 minutes (rough) to try every
> possible combination. While these efficiencies could never be achieved
> and for technical reasons a number of other issues come into play (such
> as trying each by brute force) against a host would surely catch
> someones attention. That said it is significant easier to crack "IF"
> the attacker has a copy of the SAM or password file. Properly
> configuring a system to time out after 3 missed attempts for 15 minutes
> slows external brute force attacks however does nothing to stop someone
> who has snagged the appropriate file or communication.
>
> Encryption methods used for authentication (either NTLS or SSL) can be
> broken if sniffed with significantly less effort. SSL is a piece of
> cake if one has captured both sides of the communication stream due to
> inherent weakness in the method (not the encryption algorithm itself).
>
> This said there are usually easier methods to penetrate busy networks.
> If one footprints the victims network well, there is usually an easier
> way in.

Very true. But we were talking about the theoretical ability to crack passwords.
Whether or not the password should be broken is not a major concern here. But
things tend to be a little more complicated in real life.

Borks statement sounds too much like the statement about DES many years ago and
about WEP just a few years ago.

No encryption or password/passphrase is a silver bullet. Ignoring the risks are
a recipe for doom in my eyes.

--

Dave Keays

Dave Keays, Jan 24, 2006
17. Dave KeaysGuest

Borked Pseudo Mailed wrote:
> Dave Keays wrote:
>
>
>>>At 100 guesses a second, it would take about 218.3 Billion seconds to
>>>try every possible combination. You do the math, but I'm guessing in the
>>>thousands of years.

>>
>>With the distributed computing capabilities today, it could be done a lot
>>sooner. With a botnet controlling 400,000 PCs it would take less than a
>>day.

>
>
> Not likely. 100 guesses a second was an out of thin ari number and likely
> impossible to begin with. Regardless, if you're eating clock cycles like
> that everything else on the machine is dog slow or dead. Your bots would
> be dropping like flies. Which means you're going to have to figure out
> some way of tracking which data chunk belongs to which bot and reassign it
> AFTER you realize a bot is deceased, which is probably going to be after
> the time it should have take to check its bit of data has passed.
>

What about only using idle time like SETI does?

> And that's only if you can manage to figure out how to distribute the
> cracking/tracking software and data to 400,000 machines without being
> detected, outed as a "cyber terrorist", and put in jail for the next 20
> years. At which time you might be able to start the whole process over.
> With faster hardware of course. ;-)

This was done in November by a teen in LA. Except he was caught. A little
maturity and that would be cured.

> It's not really about the raw numbers at this point of the discussion,
> it's about the practicality of doing the work. Sure, enough machines could
> do that work, but can you get them together and keep them together?
>

I've heard similar arguments before. In the 90s how long was it supposed to take
to break 56bit DES? Millions of years I think. I've even heard that recently
about WEP. Someone still believe it can't be broken in a life-time. (I should
have grabbed his handkerchief so we would have a DNA sample.)

--

Dave Keays

Dave Keays, Jan 24, 2006
18. blackhatGuest

Well it looks like the trolls are back,

>>Spammer.

That would be you troll

>>It's not necessary to go through your data mining site to get Password
>>Safe. Here is the actual URL people....

> * www.privacyoffshore.net (no logs Internet) * Anonymous Secure Offshore

>>Bradenton, Florida is off shore now? Or did you mean off shore from some
>>other perspective?

> SHH-2 Surfing Tunnels * Anonymous Mail & News through SHH-2 Tunnels * Free
> Resources and Privacy Software

>>Anonymous, Eh? Perhaps you can explain how you can offer any real
>>anonymity in light of the fact that you're a subscription based, single
>>point of contact, and open to easy traffic analysis as a result of
>>being real time...??

>>Why are you using squid if you're not logging?

>>Where would these alleged "off shore" servers reside? Care to name them?
>>Or are you afraid to have them scrutinized? Maybe they're not as off shore
>>as you claim?

>>Over half your "advertised" servers are inside EU member nations. Are you
>>unaware of the recent developments regarding forced logging of ALL
>>connection data in those member nations? The forced log retention? Or do
>>you just not care?

>>Why do you still have servers in Hong Kong after it's been shown that it's
>>easier to force information out of that Government than it is to get it
>>(legally) in the US?

>>Why are you stealing bandwidth from the Tor network for your profit? If
>>you're really an ANONYMOUS service, why would you need it?

Go crawl under your rock troll and read their web site, stay anonymous
and use re-mailers, then we'll know you haven't got an agenda, LOL

blackhat, Jan 24, 2006
19. LarsGuest

If you use letters, numbers, symbols and notprintable characters such
as esc, and other commands, the real number of password combinations
would be 256^n diffrent ones, where n is the number of characters in
diffrent pwd combinations. thats alot.

Lars, Jan 24, 2006
20. George OrwellGuest

Lars wrote:

> If you use letters, numbers, symbols and notprintable characters such as
> esc, and other commands, the real number of password combinations would be
> 256^n diffrent ones, where n is the number of characters in your password.
> for a 7 digit password, there would be 72057594037927936 diffrent pwd
> combinations. thats alot.

Stick to letters, numbers, and symbols like !_@#\$%&*. There's plenty of
characters to choose from to make sufficiently strong pass phrases, and
more than one time I've seen those "unprintable" characters booger up a
pass phrase to the point a private PGP key had to be pitched, and a