Password Strength II
From: Chris Berry (compjma@hotmail.com)Date: 06/28/02
- Previous message: Jason Yates: "RE: Apache Problem, Hack, Worm, or Something else"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Jun 2002 23:48:19 -0000 From: Chris Berry <compjma@hotmail.com> To: security-basics@securityfocus.com('binary' encoding is not supported, stored as-is)
I've gotten quite a few responses saying no because the passwords I asked
about previously (theusgotbeatbygermany vs. VX.97tf) had dictionary words
in it, which is what I've always told my users in the past, however I was
doing some math and it makes it look different, maybe someone here can
point out my error.
In a brute force attack the longer password will always be better, we're
all agreed on that, however hackers are smarter than that and will try
dictionary and hybrid attacks first. So this is what I think the odds are
approximately:
VX.97tf has to be brute forced so 68^7=6x10^12 certainly a big number and
good to go in my book.
theusgotbeatbygermany doesn't have to be brute forced, and is susceptible
to a dictionary attack so instead of letters the possiblity is based on
individual words which is 6, the LC4 program standard dictionary has 29000
entries (approximately) so we're looking at 29000^6=5x10^26 A BIGGER
NUMBER! (not to mention making it impossible to store in a LM hash)
Am I missing something?
- Previous message: Jason Yates: "RE: Apache Problem, Hack, Worm, or Something else"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
