Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Password difficulty : Re: Password difficulty Server Time
29 Jul 2024 14:24:30 EDT (-0400)
  Re: Password difficulty  
From: Invisible
Date: 11 Aug 2011 04:08:56
Message: <4e438e18$1@news.povray.org>
 
On 11/08/2011 03:27 AM, Chambers wrote:
> I thought this was funny, since there was the recent discussion on
> password strength...
>
> http://xkcd.com/936/

People on the XKCD forums have posted links to several online "password 
strength meters". These are mostly of the type where you get a +10 point 
bonus for using uppercase and lowercase, but a -N penalty for every N 
consecutive characters of the same type, but then there's also a score 
for...

Personally, I think the most /realistic/ way to gauge password strength 
is to see how long it takes real, commonly-available password crackers 
to break your password. After all, /that/ is what most unsophisticated 
attackers are going to use against you.

> Correctly demonstrates that the important facet is the sheer length of
> the password :)
>
> (Assuming that the person trying to crack it doesn't take a stab at
> solving for combinations of simple words like this before they go brute
> force on your a**)

This assumption is unnecessary. That's the point.

People have banded around the figure of "8,000 words" as a typical 
English vocabulary. I have no idea whether that's correct or not. (It 
varies wildly depending on what you count as a "word".) That means that 
if your password is, literally, a word, an attacker has 8,000 
combinations to try. This is trivial.

If your password is 4 words, an attacker now has 8,000^4 = 
4,096,000,000,000,000 combinations to try (again, still assuming that 
they /know/ they only need to check combinations of common dictionary 
words). That's 4 quadrillion 97 trillion. This is going to take 
drastically longer. Assuming you can check one million combinations per 
second, that's about 130 years. (Assuming the same speed, 8,000 
combinations would take less than 1 second.)

As I recently wrote, this is the utterly counter-intuitive thing about 
combinatorics. The exponential function works in such a way that X 
digits can be trivially crackable, but X+Y, where Y is a fairly small 
number, can be utterly infeasible to crack.

Now, if instead of 1 computer, you had 130, then the password would only 
take 1 year to crack, instead of over a century...


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.