Re: brute-force estimation

"Joseph Ashwood" <ashwood@xxxxxxx> writes:

"Elenhil" <elenhil@xxxxxxxxx> wrote in message
news:1140599172.853058.63330@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Say, I have a 20 character long password consisting of latin
characters (capital and lower-case), numbers and basic punctuation.
That is roughly 80 symbols to play with.

How many combinations one must look through from 1 to 20 (the exact
length is unknown) with unoptimized brute force?

the answer is (80^20)/2 or safe by any means. That assumes you pick the
password randomly, for example using a pair of dice. I'm sure you can figure
out where I plugged the numbers in.

Generally we base our compliexity decisions based on an estimated largest
network it would be possible to build, and the timeframe. Right now the
generally agreed on (which I disagree with because we've left it the same
for over a decade) complexity required for near term security (<10 years) is
2^80. For medium term (<50 years) security the number usually quoted is
2^120+, and for long term (basically forever) 2^256.

My personally preferred method for generating secure passwords is a
derivative of Diceware (www.diceware.com) where I simply assign a-z and 0-9
to the roll of a pair of dice (two different colors, read the same one first
always), 36 is close enough to 32 that I can count each character as 5 bits,
and tune the security level very easily. This doesn't work too well on an
old UNIX system, but in modern systems where some [person] decided that a
space is not a valid character for a password it works well.
Joe

Just run a string of n random bytes (eg from /dev/urandom) through
uuencode, and you have 64 characters random string passwords.

.

Relevant Pages

  • [REVS] CRLF Injection
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... two commonly used non-printing ASCII characters. ... additional fake log entry. ... E-mail headers, news headers and HTTP headers all have the structure "Key: ...
    (Securiteam)
  • [Full-disclosure] Re: What A Click! [Internet Explorer]
    ... > tell your windows to open .HTA files in notepad. ... > (since there are more ways to cover windows with malicious lookalikes). ... >> Using custom Microsoft Agent characters it is possible to cover any kind ... including security or download dialogs. ...
    (Full-Disclosure)
  • Re: Linksys home network problems
    ... That refers to a password of only 8 characters. ... But that compromises your security. ... What of the guest is using his laptop given by his employer "Intel"? ... Use a hotspot-type router with different security zones, ...
    (alt.internet.wireless)
  • Re: brute-force estimation
    ... characters, numbers and basic punctuation. ... for example using a pair of dice. ... For medium term security the number usually quoted is ... old UNIX system, but in modern systems where some decided that a ...
    (sci.crypt)
  • [NT] Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6
    ... Get your security news from a reliable source. ... Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6 ... i.e. it's different than the ASCII similar characters ...
    (Securiteam)
Quantcast