|
![](/i/fill.gif) |
On 11/08/2011 03:27 AM, Chambers wrote:
> I thought this was funny, since there was the recent discussion on
> password strength...
>
> http://xkcd.com/936/
People on the XKCD forums have posted links to several online "password
strength meters". These are mostly of the type where you get a +10 point
bonus for using uppercase and lowercase, but a -N penalty for every N
consecutive characters of the same type, but then there's also a score
for...
Personally, I think the most /realistic/ way to gauge password strength
is to see how long it takes real, commonly-available password crackers
to break your password. After all, /that/ is what most unsophisticated
attackers are going to use against you.
> Correctly demonstrates that the important facet is the sheer length of
> the password :)
>
> (Assuming that the person trying to crack it doesn't take a stab at
> solving for combinations of simple words like this before they go brute
> force on your a**)
This assumption is unnecessary. That's the point.
People have banded around the figure of "8,000 words" as a typical
English vocabulary. I have no idea whether that's correct or not. (It
varies wildly depending on what you count as a "word".) That means that
if your password is, literally, a word, an attacker has 8,000
combinations to try. This is trivial.
If your password is 4 words, an attacker now has 8,000^4 =
4,096,000,000,000,000 combinations to try (again, still assuming that
they /know/ they only need to check combinations of common dictionary
words). That's 4 quadrillion 97 trillion. This is going to take
drastically longer. Assuming you can check one million combinations per
second, that's about 130 years. (Assuming the same speed, 8,000
combinations would take less than 1 second.)
As I recently wrote, this is the utterly counter-intuitive thing about
combinatorics. The exponential function works in such a way that X
digits can be trivially crackable, but X+Y, where Y is a fairly small
number, can be utterly infeasible to crack.
Now, if instead of 1 computer, you had 130, then the password would only
take 1 year to crack, instead of over a century...
Post a reply to this message
|
![](/i/fill.gif) |