Re: Strong Passwords Revisited

From: Lohkee (Lohkee@worldnet.att.net)
Date: 01/20/03 

From: "Lohkee" <Lohkee@worldnet.att.net>
Date: Mon, 20 Jan 2003 16:46:00 GMT

"Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message
news:eXv0PTJwCHA.2868@TK2MSFTNGP12...
>
> "Olaf Kilian" <me@privacy.net> wrote in message
> news:20030120083440.5c7371fd.me@privacy.net...
>
> > The later the password would be guesed, the stronger it is. It absolutly
> > depends on the method of the attack used against it. If you try to
> > bruteforce a password with 0-8 chars - all alpha, lowercase - and you
> > begin with "a", than "zzzzzzzz" is very strong. But if you begin
> > guessing in reverse order "zzzzzzzz" is a joke and "a" is the strongest.

I agree in terms of time, however, this has nothing to do with "strength"
per se. It is possible that an attacker could guess the password on the
first attempt regardless of the number of possibilities or the contruction
of the password. Strength is based on the number of possibilities, the more
there are, the less likely it is that this will happen.

>
> Theoretically, yes, I suppose, though in real life, crackers probably
never
> go backwards, and if they did, it would still take them a discouragingly
> long time to crack even a single password. And because different cracking
> tools would consider Z or z or 0 or 9 or A or Þ to be the last character
to
> be tested, different tools would test passwords in different order.
>
>

I think "discouragingly" is relative. As longs as I can crack a password
before it expires, say 90 days, then 91 days becomes discouraging, otherwise
it is not a problem (depending on how bad I want to crack it - if there is
little payoff then why bother at all, i.e., 2 days is too much effort - if
the payoff is great then . . . )

Lohkee!

>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
>
>

Relevant Pages

  • Re: Strong Passwords Revisited
    ... >> depends on the method of the attack used against it. ... I agree in terms of time, however, this has nothing to do with "strength" ... > long time to crack even a single password. ... before it expires, say 90 days, then 91 days becomes discouraging, otherwise ...
    (comp.security.misc)
  • Re: Strong Passwords Revisited
    ... >> depends on the method of the attack used against it. ... I agree in terms of time, however, this has nothing to do with "strength" ... > long time to crack even a single password. ... before it expires, say 90 days, then 91 days becomes discouraging, otherwise ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: testing wireless security
    ... It implements the standard FMS attack along with some optimizations ... aircrack-ng can ONLY crack pre-shared keys. ... There is another important difference between cracking WPA/WPA2 and WEP. ... is the approach used to crack the WPA/WPA2 pre-shared key. ...
    (FreeBSD-Security)
  • Re: SHA-one crack
    ... But it is the worst way to attack a cryptosystem. ... times the age of the Universe to crack with that method. ...
    (sci.crypt)