Xref: utzoo sci.crypt:1396 comp.unix.wizards:13533 news.sysadmin:1957
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin
Subject: Re: Yet Another useful paper
Message-ID: <4420@xenna.Encore.COM>
Date: 17 Dec 88 17:04:53 GMT
References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 62
In-reply-to: dlm@cuuxb.ATT.COM's message of 16 Dec 88 22:07:42 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


>As far as UNIX passwords, it further justifies the use of a shadow
>password file and the use of 64 character pass phrases.
>
>-- 
>=Dennis L. Mumaugh

Why? Because it shows a 20x speedup possibility? Let's do the
arithmetic again...

Given a 100 character character set and 8 characters in a password
the search space is 100^8 which is:

	10,000,000,000,000,000

Currently even fast DES implementations on fast processors can't seem
to hit 1,000 encryptions per second although it's probably possible,
let's allow 20,000 encryptions per second, a brute force search would
now take:

	500,000,000,000


500 billion seconds or almost 16,000 years. Even improving *that* by a
factor of 1,000 (ie. 20,000,000 encryptions per second) wouldn't leave
much hope for the cracker (16 continuous machine-years.)

Drop down to a 64 character set and we get a search space of:

	281,474,976,710,656

which still takes 450 years to search completely at 20,000 encryptions
per second (even using arguments which say on average one only has to
search half the space this isn't too encouraging to a cracker.)

Improving by 1,000 further (a highly improbable event in the near
future) still reduces this to 6 months absolute dedicated machine time
on a machine or machine configuration (eg. parallel) which makes a
Cray-3 look like $4.99 pocket calculator.

If someone has access to those kinds of resources and wants into your
account they can hire a small army and hijack your computer much
cheaper and less visably.

Let's face it folks, at these fantastic rates the following methods
would be far more effective:

	1. Have a dirty tricks agency plant a video camera
	in your office ceiling which transmits images of you
	keying in your password.

	2. Tap your network.

	3. Bribe key personnel in your area to get whatever it
	is they really want.

	4. Purchase your company, even AT&T.

Dennis, without further justification for your position/conclusion I
claim you're grasping for straws and succumbing to mob mentality.

	-Barry Shein, ||Encore||